"Google, Microsoft Can Get Your Passwords via Web Browser's Spellcheck"

Extended spellcheck features in Google Chrome and Microsoft Edge web browsers send form data to Google and Microsoft, including Personally Identifiable Information (PII) and, in some cases, passwords. While this is a known and intended feature of these web browsers, it raises questions about what happens to the data after transmission and how safe the practice is, especially regarding password fields. Basic spellcheckers are enabled by default in Chrome and Edge. However, when manually enabled by the user, features such as Chrome's Enhanced Spellcheck or Microsoft Editor pose this potential privacy risk. Depending on the website visited, the form data may include Social Security Numbers (SSNs), Social Insurance Numbers (SINs), name, address, email, date of birth, contact information, bank and payment information, and other PII. Josh Summitt, co-founder and CTO of the JavaScript security firm otto-js, discovered this issue while testing the company's script behaviors detection. When Chrome Enhanced Spellcheck or Edge's Microsoft Editor were enabled, anything entered in these browsers' form fields was sent to Google and Microsoft. This article continues to discuss the spell-jacking practice and a suggested HTML solution to this problem. 

Bleeping Computer reports "Google, Microsoft Can Get Your Passwords via Web Browser's Spellcheck"