Don't use Chrome's and Edge's Enhanced Spellcheck features
Google Chrome and Microsoft Edge include options to improve the basic spellchecking functionality of the web browser.
Chrome's Enhanced Spellcheck and Microsoft Edge's Microsoft Editor are designed to improve spellchecking further, but they do by transferring pretty much anything that users type into fields to company servers.
Chrome users find the Enhanced Spellcheck feature on the Languages settings page. It can be accessed by loading chrome://settings/languages in the browser's address bar, or by selecting Menu > Settings > Languages.
Once enabled, Chrome uses the same spell checker that Google Search uses. Google notes that text that users type after enabling the feature is sent to Google.
Similarly, when users enable Microsoft Editor in the Edge browser, they improve spell checking but have their typed data submitted to Microsoft as a consequence. Microsoft does not mention that typed data is sent to company servers when Microsoft Editor is enabled.
Josh Summitt published his findings on the functionality of the enhanced spell checkers on the otto-js company blog.
Summitt discovered that the browser's were sending almost any typed data automatically after the enhanced spell checking features were enabled; this included usernames, email addresses, but also anything typed as comments or in forms.
Passwords are not submitted by default, but when users use the "show password" option on websites, they are submitted automatically. The passwords are then sent to third-party servers along with other information.
It takes a single click to enable the enhanced functionality. Google does inform users about the sending of typed data, whereas Microsoft does not in Edge. Summitt notes that home users and organizations are affected alike.
A spell-jacking video demonstrates how organizations could inadvertently expose information about a company's cloud infrastructure, including servers, databases, corporate email accounts and password managers, to Google or Microsoft.
Chrome and Edge users may want to make sure that the enhanced features are not enabled in their browsers. It is unclear how the data is processed, how it is used and whether it is stored or not.
How to disable the Enhanced Spell Checker in Chrome
- Load chrome://settings/languages in the browser's address bar or go to Menu > Settings > Languages.
- Locate the Spell Check group of preferences on the page.
- Make sure that "Basic spell check" is enabled, or that "Check for spelling errors when you type text on web pages" is turned off completely.
How to disable the Microsoft Editor in Microsoft Edge
- Load edge://settings/languages in the Microsoft Edge address bar, or go to Menu > Settings > Languages.
- Locate the "use write assistance" group of options on the page.
- Make sure that Basic is selected, or that "use writing assistance" is turned off entirely.
Enhanced spell checking is a useful feature as it promises to find spelling and grammar issues that basic spell checking can't detect. The improvement comes at the cost of submitting data to the cloud. Considering that anything that is typed, with the exception of passwords, are submitted automatically, most Internet users may want to disable the functionality.
Now You: do you use spell checking in your browser? (via Bleeping Computer)