Leaking Passwords through the Spellchecker

Sometimes browser spellcheckers leak passwords:

When using major web browsers like Chrome and Edge, your form data is transmitted to Google and Microsoft, respectively, should enhanced spellcheck features be enabled.

Depending on the website you visit, the form data may itself include PII­—including but not limited to Social Security Numbers (SSNs)/Social Insurance Numbers (SINs), name, address, email, date of birth (DOB), contact information, bank and payment information, and so on.

The solution is to only use the spellchecker options that keep the data on your computer—and don’t send it into the cloud.

Posted on September 26, 2022 at 6:08 AM13 Comments


Clark Gaylord September 26, 2022 7:00 AM

Sure, but there’s also no question that these tools benefit dramatically from having data from the endpoint systems. It is easy enough to filter things that look like dob, ssn. We use these filters in reverse to find data (eg Identity Finder). Of course there’s the problem of where this happens (server side, client side) how trusted the code is in doing this, etc.

Stuart Ward September 26, 2022 7:58 AM

Web site owners are mostly complicit in this in not marking up password fields with the correct tags, <input type="password"

I also complain that the should add the autocomplete="current_password" so that password managers can correctly complete this.

JonKnowsNothing September 26, 2022 7:59 AM


re: don’t send it into the cloud

For enormous swaths of users, they don’t get a choice, the cloud is enabled by default and by requirement.

There are services that upload all sorts of documents and return them via download into other formats. If it happens to be a required document, like an for application to some on-line service, company or employer, you are SOL.

Saying Don’t Do It, really isn’t much help.

Marcus September 26, 2022 9:49 AM

Google and Microsoft have access to all the email for their users. These emails include temporary passwords (password reset or creating an account on a new site). And of course the emails also include PII of all sorts.

So PII and passwords leaking to Google and Microsoft is not a big deal if you already use their email services.

In other words, if you are concerned that spellchecking leaks PII and passwords to Microsoft and Google, then you should not use their enhanced spellcheck features. Also you should not use their email. And you should not communicate by email with anybody who uses Google and Microsoft email either.

what September 26, 2022 10:13 AM

Re: Also you should not use their email. And you should not communicate by email with anybody who uses Google and Microsoft email either.

Those mitagations are not the only available at the concerned person end and control. Under the user’s control the alternatives are disably cloud-based spell-checkers, transmission of PII containing documents and messages by first encrypting them before putting them in email. However whatever mitigations or lack of by other parties who have access to PII is outside the control of the persons who own the PII. So the respect deserved by a person’s PII has still has to be enforced on those parties leaking PII via email and spell checkers. My health centre does not send messages with health information and PII in message bodies of email so as to prevent undue leakage of health information abd PII at both the sender and recever sides

Adequate mitigations are available to prevent the violations of PII laws against leakages.

Ted September 26, 2022 1:06 PM

It’s good that some of the companies contacted about “Spell-Jacking” responded with mitigations.

In LastPass’ case, the remedy was reached by adding a simple HTML attribute spellcheck=”false” to the password field

It’s perplexing that Twitter would explicitly set the spellcheck attribute on the password field to “true.” Especially in combination with having a “show password” option.

It makes me wonder how many browser add-ons send sensitive data fields to the cloud.

Leticia September 26, 2022 7:26 PM

@ Clark Gaylord,

Sure, but there’s also no question that these tools benefit dramatically from having data from the endpoint systems.

I question it. Back in the 1980s, it took heroic efforts to store large wordlists and search them efficiently. In the 2000s, that problem was basically gone, and it was practical to use a 20 or 100 MB word list in the most naïve way possible. How many new words could’ve been created since then that I’d find the difference “dramatic”?

I could imagine something like a grammar checker having a dramatic difference from back then, but still not enough to require the computing power of “the cloud”—this is probably more about the companies not wanting to ship their algorithms to end users where they could be reverse-engineered. (Also, I’d really hope nobody’s trying to teach computers correct grammer based on the shit people type into their web browsers.)

lurker September 26, 2022 10:59 PM


How many users know or care where their spellchecker lives? and have it always on because thumbs are fat …

Clive Robinson September 27, 2022 7:19 AM

@ Bruce, ALL,

“Sometimes browser spellcheckers leak passwords:”

This is a problem that has been known about for a long time.

I found out that it was happening when I was checking another “browser spellchecker” issue of reporting back user bio-metrics.

That is it enables the detection of “User bio-metrics”. Specifically “typing cadence” and “spelling mistake types” very accurately as a moments thought will confirm. Worse it leaks the typing cadence and some of the spelling information out to the network so the NSA and other SigInt agencies will “pick it up from the wire”… I’ve mentioned these problems on this blog before (searching for “typing cadence” will probably pull it up). I also tried reporting it but it quickly became clear that it was getting the “Heads in sand, asses in the air” treatment by those not just web servers but those designing web browsers and the user interfaces they use…

So it’s a known problem between half a decade and a decade old. But… those who should be fixing it in the Web Standards etc are too busy sitting on their hands and “doing their masters biding… Likewise the W3C has be “captured” by the likes of Google, so don’t expect any improvment unless sufficient “adverse publicity” can be generated.

The easy and sensible mitigation to the problem, with some browsers, as I keep saying is,

“Turn off javascript.”

I guess @SpaceLifeForm will understand why I will probably need a new tree “to shout at”, and a bigger shotgun to “shoot at clouds with”[1]…

[1] This is because I don’t have the patience to wait for goats to faint or drop dead… Apparently pitching rocks at them instead, is somewhat frowned upon which is a shame. Apparently it’s because although goats are without doubt a bl@@dy nuisance, they do have some redeaming features besides becoming joints of meat. So they are not considered as vermin to be exterminated, but live stock, thus have some rights granted to them they are not aware of. Of course those granting them their rights, don’t have to go anywhere close to them.

Jesse Thompson September 28, 2022 4:56 PM

Just file this under “user does not actually own the physical hardware”.

Even though that’s mostly not a legal distinction, it’s still a “99% of users know and/or care too little to defend their own hardware sovereignty” distinction.

I wonder if grassroots organizations might be able to spring up that could offer sysadmin services to end-users for a fee?

They could specialize in procedural transparency, and power users can refer friends/family to more trusted sysadmin organizations instead of always handling sysadmin by hand.

Sysadmin organizations could even control enough market share to improve bargaining power against software and service providers.

EG: can we just unionize end-user systems administration? 😀

Grima Squeakersen September 30, 2022 8:10 AM

@Clive: I never allow JS unless I am on a site where I must do some function that requires it. When I do allow JS, I clear all browser data before and after browsing that site (I typically load only one domain at a time, although obviously domain/web page structure can easily defeat that mitigation). I always use PWSafe to populate password fields. I compose email content, replies to forum posts, etc. in a local minimal-function text editor and paste into web forms, using a local spell checker in that editor first if I am concerned with spelling errors (seldom), so there is no cadence and little in the way of spelling aberrations to measure. Not perfect, nothing will be, but imo fairly effective against at least casual attempts at compromising my identity and information. Of course, the typical internet user (who really just wants authoritarian sources to tell him what to think, and then confirm that those thoughts are correct) prizes convenience and ease over all else, so that person will never do any of that.

Paul Beck September 30, 2022 4:34 PM

I think @Leticia hit it spot on and to Bruce’s point. There’s things you need the power of the cloud for and then there’s those that do not. Don’t require it if you don’t need it. Spell-check/Grammar Check data needed for literally every language in the world is relatively speaking not a massive amount of data that changes all that much minute to minute or even year to year. Update it periodically, sure, but keep it strictly local- the other side of the form probably loves it, but they do not need it. And as far as cloud-based spellcheck goes, the end user does not need either.

SpaceLifeForm September 30, 2022 6:44 PM

re: adverse publicity

Listen to what I am saying here folks. I did not fall off of the turnip truck yesterday. I used the Mosaic browser on a true xterm long ago before Netscape existed. I beta tested Netscape. I have been paying attention and connecting dots for decades.


Now, pay attention.

Use FireFox, and the plugins uBlock Origin, Privacy Badger, and Cookie Autodelete. Turn off Javascript via about:config and you will be amazed.

If a website complains, you do not want to go there. Close the tab. Look for the info on a different site.

Just try it. You can still use a different browser if you are so inclined.


Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.