Your Browser’s Spellchecker Leaks Your Password

Yay – we have yet another way in which companies like Google and Microsoft grab your sensitive data. Though in this case it’s probably inadvertent that they’re doing so.

Still, no one is saying what’s happening to that data once they get it or if they’re going to make attempts to scrub the data now that they are aware of the issue.

How Does The Flaw Work?

When ENHANCED SPELL CHECK is enabled in a browser, data is sent to outside servers. For most users, this means the data is sent to Google or Microsoft.

In the case of Microsoft’s EDGE, the Microsoft Editor Spelling & Grammar Checker is a popular browser addon that also leaks the same data.

This means that:

  • Data you type into a password field can be sent. In some cases the data is sent even when the user does not check the option to make the password visible. In other cases it is sent only when the user makes the password visible.
  • Other sensitive data you might use when setting up a system – eg: private SSH keys
  • Other PII such as Social Security numbers typed into regular text fields or even links with encrypted attributes.

The good news is that the default spellchecker in most browsers is NOT the enhanced one. So only folks who have specifically turned on the enhanced spell checker are at risk.

The Fix

The solution for this is trivial – sensitive fields should have a ‘spellcheck’ attribute set to false.

But most input forms don’t have this.

We checked the login pages for many companies large and small – none of them have the spellcheck attribute set to false on any of the fields which means that they’re all vulnerable to inadvertent data disclosure via an enhanced spell checker (though this is probably fixed on all sites by now since this issue was disclosed weeks ago).

Even our own login page on this site didn’t have it. So, of course we’ve resolved that.

The Work Around

As a user, you need to disable your advanced spell checker since most companies will likely NOT fix their input forms any time soon.

For Microsoft, you should remove the Microsoft Editor from Edge as well.


We’ve updated our code to explicitly set fields containing sensitive date to exclude data from the spellchecker.

This update is available in WPCD 5.0

Let’s hope that the enhanced spell checkers continue to respect the ‘ spellcheck ‘ attribute on input fields. (Browser makers can do whatever they want and there’s nothing that says they must respect a particular attribute. Though, they’d likely be in a great deal legal trouble if they deliberately ignored it.)


If you’re using the enhanced spell checker, this is an urgent issue.

If you’re not, then, it’s a low priority issue and likely doesn’t affect you.

We’re ranking this a low priority issue overall for the following reasons:

  • Most users don’t use enhanced spell checkers in their browsers
  • There’s a simple work-around (disable enhanced spell checkers)
  • MS/GOOGLE are now aware of the issue and hopefully scrubbing the incoming data

The fix is available in WPCD 5.x but will not be back-ported to WPCD 4.x.


You can find more information about the issue here:

Was This Article Useful? Or do you have questions or comments about it (or our products & services)? We'd love to hear from you!

Please enter your name.
Please enter a message.
You must accept the Terms and Conditions.
Please check the captcha to verify you are not a robot.

Automatic Notification Of New Articles

Sign up to get automatic notifications of new articles.  This is a different list than our standard list - you only get new articles once a week (usually on Mondays).  No other emails will be sent unless you sign up for our general list as well.