Hi guys,

If you use the extended spell checking feature in Google Chrome or Microsoft Edge (this is based on Chrome), Google and Microsoft can read any personally identifiable information (PII), including passwords that you enter into websites. This is possible because of enhanced spell checking, which allows the browser to read the information you type into text boxes, including passwords, to check it for spelling mistakes.

Otto-js co-founder & CTO Josh Summitt discovered this spellcheck leak while testing scripts in his company. You can read his full blog posting HERE and watch a short video showing how it works HERE.

Luckily, Enhanced Spellcheck (Chrome) or Microsoft Editor (Edge) is not enabled by default, and it is straightforward to check if it is turned on or off.

Follow these instructions if you do not want Google and Microsoft not to be able to read your passwords:

Google Chrome:

  • Open your browser
  • In the address bar type in the following: chrome://settings/?search=Enhanced+Spell+Check
  • Make sure you are using the Basic spell check (this does not send any info to Google)

Microsoft Edge

Microsoft Editor Spelling & Grammar Checker is a browser add-on that must be installed for this data transmission. Make sure you do not have this installed – https://microsoftedge.microsoft.com/addons/detail/microsoft-editor-spellin/hokifickgkhplphjiodbggjmoafhignh

Please share this tip with anyone who uses Chrome or Edge.

All the very best,

Max Roberts,
Incognito Privacy Care Team.