According to the publication TechRadar, programs for checking spelling and correcting errors in text can collect passwords and other sensitive data of users.

Security analysts from the otto-js company decided to examine the auto-checking and text correction features added to the Chrome and Edge browsers. In the course of their research, they came across a strange behavior of the applications: the services were sending users’ names, e-mail addresses and passwords to the network without their consent.

This happens in situations where a website shows a person the password they are entering, or when the user wants to verify a typed password that is hidden behind dots or asterisks. A person “decodes” his password by clicking on the appropriate button, and automatically gives this data, which is sent to Google and Microsoft servers.

At the same time, it is important to note that this is an extended form of spell check, which is included in both browsers separately. By default, the primitive version works, which does not send data to the company’s servers. Those concerned about data security should disable advanced text validation features in Chrome and Edge.