Google Chrome and Microsoft Edge include options to improve the basic spellchecking functionality of the web browser.
Chrome’s Enhanced Spellcheck and Microsoft Edge’s Microsoft Editor are designed to improve spellchecking further, but they do by transferring pretty much anything that users type into fields to company servers.
Chrome users find the Enhanced Spellcheck feature on the Languages settings page. It can be accessed by loading chrome://settings/languages in the browser’s address bar, or by selecting Menu > Settings > Languages.
Once enabled, Chrome uses the same spell checker that Google Search uses. Google notes that text that users type after enabling the feature is sent to Google.
Similarly, when users enable Microsoft Editor in the Edge browser, they improve spell checking but have their typed data submitted to Microsoft as a consequence. Microsoft does not mention that typed data is sent to company servers when Microsoft Editor is enabled.
Josh Summitt published his findings on the functionality of the enhanced spell checkers on the otto-js company blog.
Summitt discovered that the browser’s were sending almost any typed data automatically after the enhanced spell checking features were enabled; this included usernames, email addresses, but also anything typed as comments or in forms.
Passwords are not submitted by default, but when users use the “show password” option on websites, they are submitted automatically. The passwords are then sent to third-party servers along with other information.
It takes a single click to enable the enhanced functionality. Google does inform users about the sending of typed data, whereas Microsoft does not in Edge. Summitt notes that home users and organizations are affected alike.
A spell-jacking video demonstrates how organizations could inadvertently expose information about a company’s cloud infrastructure, including servers, databases, corporate email accounts and password managers, to Google or Microsoft.
Chrome and Edge users may want to make sure that the enhanced features are not enabled in their browsers. It is unclear how the data is processed, how it is used and whether it is stored or not.
Enhanced spell checking is a useful feature as it promises to find spelling and grammar issues that basic spell checking can’t detect. The improvement comes at the cost of submitting data to the cloud. Considering that anything that is typed, with the exception of passwords, are submitted automatically, most Internet users may want to disable the functionality.
Now You: do you use spell checking in your browser? (via Bleeping Computer)
Info for Brave users, as they might be concerned since Brave is based on Chromium:
Brave does not have the “Enhanced spell check” option that Chrome and Edge have, only the unaffected “Basic spell check” exists under brave://settings/languages …
Nothing needs to be done if you are using Brave, this is a Chrome and Edge issue.
Unrelated to this specific issue, I am still disabling everything under brave://settings/autofill as a matter of due diligence, as there are other concerns with autofill, however, this would include any browser (so Firefox & Safari as well).
Perhaps a hint in the article that this is specifically a Chrome / Edge issue and NOT a general Chromium issue would be good.
Is there a better place for such statement that a title of this article? It is there, clearly stated. Then one may ask to add it is NOT an issue of Firefox…
Since Chrome and Edge are Chromium-based browsers, there was a chance that this could be Chromium base code issue, which in turn means there was a (however remote) chance that Brave could have been affected – which is not the case.
Firefox is not based on Chromium, why mention it in this context? Makes no sense.
Please think first before you go into passive aggressive mode. Thank you.
@Iron Heart: I don’t even trust the basic spell check because how do we know it behaves differently than the advanced spell check? Yes, I know, advanced is not an option in Brave, but still ……… the basic one? Nahh.
Please read this:
The “Basic spell check” setting uses whatever dictionary comes with Chromium and / or your operating as the source, so it is fully local. Only “Enhanced” creates an outside connection, which is why Brave removed it. Of course, you must decide whether or not you need spell checking, “basic” is not a privacy issue though. Cheers.
@Iron Heart: thanks a lot for that link, you set my mind at ease 😉
Firefox is better than Brave.
Do… do you have more than this one sentence, bro?
You didn’t even say what was better when I asked you. 😀
Firefox is better than Brave.
I’ll leave it at that now.
@Anonymous: in what way?
He doesn’t know, it’s the reason why he can only repeat the same sentence again. It’s not better in any of the following areas:
– Web compatibility.
You could make a case for UI customization but there it gets stomped by Vivaldi. It used to be the greatest browser in the 2000s, but is far from best in 2022.
Firefox is better than Brave.
It’s impossible to be better than the best.
Problem is, what browser is the best?
Maybe Firefox is better than Brave, or Brave better than Firefox.
But what if Chrome was better than both?
If so, what if Edge was better than Chrome?
If so it’d be the best, unless if Vivaldi was better than Edge.
This is highly problematic.
I’ll stick on with a browser that fulfills all my needs and requirements.
I don’t care if it’s better or not, the best or not.
It’s called Firefox.
Dude, it’s not a prayer. A browser is just a tool.
I just gave my opinion based on various areas a browser can excel in, and in none of them I currently see Firefox as leading. It’s just what it is.
Edge has the WORST spellchecker of any browser I have used. I don’t have examples at hand but even simple misspelled words remain misspelled or the correct spelling isn’t even recognized and provided as an option. Jeez.
It was kind of obvious, even they say they will improve the spellchecker and servers and all that.
People should stop being paranoid, Google and Microsoft is not going to care about passwords123 anyway.
It is the same ridiculous attitude people had when the said “oh Memory has all passwords in plain text” kind of crap.
Nobody needs to hack Microsoft or Google servers to get people’s passwords, people give them away all the time in random pages and apps and emails.
If people want to help Microsoft and Google to make spellchecker better, then so be it, I mean, Edge one is kind of good and it is (I guess) the one you would find in office and mail and all that.
It is the same with voice stuff, they always have something that sends some pieces of people’s conversations to improve, and nothing has happened because of it.
Imagine complaining about this and having a phone on 24/7 with WIFI or Data connection, like most people who will be spreading this ‘news’ are doing.
Have O365, use Microsoft Editor with few languages and I’m very happy: it does great work. It’s normal that is has to send data, it works on MS servers level, not locally so.. What’s wrong with that?
@lukas: there is nothing wrong with it. If you are happy to have all your searches exposed to Google, there is no problem.
I am always amazed by the premise that if you have not to hide you have nothing to worry about so why try to keep Google out.
Well, when you go to the toilet you have nothing to hide either, yet you close the door, possibly even lock it, in order to keep others out.
If you have money that you have earned from honest work, you have nothing to hide, yet you keep your banking details safe with a password. If you have nothing to hide, please give me your log-in details 😉
Sorry, but it’s nonsense.
There is HUGE difference between
“it needs to be sent to remote server, because only remote system analyses data”
“show me everything if you do not want hide everything!”
World is NOT black & white
@ Klaas Vaak,
Quote: “I am always amazed by the premise that if you have not to hide….” Unquote
If you have not to hide…??
Is that what they teach you at school these days? 😀
don’t use Chrome or Edge at all, I would say
Those two and Opera, and you basically have my “Never recommend to anyone…” list.
That’s it! I’m switching to Firefox!
How to ungoogle Firefox?
Turn off geolocation (uses Google’s location services), turn off SafeBrowsing. Switch to a different search engine (otherwise all you are typing in the address bar is transmitted to Google), StartPage is good if you prefer Google’s result without wanting to use them. Otherwise DuckDuckGo or Brave Search.
On Android, Firefox ships with a hardcoded Google tracker (before people needlessly shout at me again, source: https://reports.exodus-privacy.eu.org/en/reports/org.mozilla.firefox/latest/ ). You can avoid this by using Fennec F-Droid, which is a tracker- and telemetry-free version of FF.
You can ungoogle Firefox (to a limited extent), but you can’t ungoogle Mozilla’s greedy, sellout, commie brains.
Avoid them as much as you can – on any platform. Same goes for DDG, the Mozilla of the search engines.
Firefox is better than Brave.
Better at sending data to Google, maybe.
Do I use spell checking in my browser? Haha, NO. I know how to spell. The people that use spell checkers do not know how to spell. The education system has failed them.
Anyway, your data is safe with Google, unlike Microsoft (a poor mans Google) who sells your data.
yeah, sure. Whatever you say pal
@ChromeFan: I agree with your comment about the education system many/most people’s spelling these days is atrocious, even that of certain people, like e.g. journalists, who should know better.
Nevertheless, literally anybody can make a spelling mistake without noticing it, esp. nowadays in the high pressure business environment we live in.
So, nope, spell checking is not just for the poorly educated.
Note: I don’t use it in Brave.
“Anyway, your data is safe with Google, unlike Microsoft (a poor mans Google) who sells your data.”
You’re right. Your data in Google is safe – nobody buys damaged goods – it needs to be preserved until the purchase is finalized…
There’s zero usefulness to anyone in sending anything–ever–in a password or userid field anywhere for the purpose of “spellcheck” (since they should never contain words to be checked).
Google, Amazon, Facebook, Apple, Microsoft and several other leading companies suffer from the split brain syndrome :
“Split-brain or callosal syndrome is a type of disconnection syndrome when the corpus callosum connecting the two hemispheres of the brain is severed to some degree.
After the right and left brain are separated, each hemisphere will have its own separate perception, concepts, and impulses to act.” [https://en.wikipedia.org/wiki/Split-brain]
You said it : each hemisphere will have its own separate perception, concepts.
These companies’ left gives, the right takes. Good business is to take more than to give. Win-win deals are for losers. GAFAM are winners of course. They just can’t help it. If you think “Wow, nice initiative, nice feature” then you realize it’s only to grab one handful more of your privacy. If you’re a male you can imagine what ladies can go through when they discover what your bla-bla was meant for.
“Don’t use Chrome’s and Edge’s Enhanced Spellcheck features”. I won’t. I couldn’t : I use neither of their browsers.
The clear solution to this and many other similar issues is to simply not use Edge or Chrome. It actually amazes me that anyone with even a marginal concern for privacy would ever use these browsers. Its not like they offer something special in return for giving them your data.
Indeed. There’s a collective unconscious which considers leading companies as *the* reference, and not only those of the Web. I’m also deeply annoyed when I notice in TV soap-operas, in movies that when the scenario includes a computer, a search engine, it’s always Microsoft and Google which appear. There was a time when a fake search engine would replace the ones we know, but no longer : the digital way of life now names them, and always the same. A film where you’d see the hero searching the Web with Firefox, Brave, even Safari does simply not exist. All this participates to the idea that the digital world is that of Google and Microsoft. In my view it’s either a shame either the evidence that a good film-maker can be as dumb as a sheep when it comes to considering the ‘natural environment” of his film. Forgot this : the PC is a Mac when the context is wealthiness. On what planet are the media living on?
I’m on Edge Version 105.0.1343.42 and there is no Writing Assistance or Microsoft Editor on edge://settings/help. There is only a toggle for “Enable Spellcheck”. Could a corporate GPO have removed the MSFT server version?
Read the article again.
Settings are under setting; Language in your version.
I mistyped my comment, I meant “edge://settings/languages”.
From the article: “Load edge://settings/languages in the Microsoft Edge address bar, OR go to Menu > Settings > Languages.”
It is the same thing.
If the enhanced spellchecker exposes passwords when the reveal password is used, what about other use cases? For example, when you create a password for the first time; when you enter banking and/or credit card information; and, other such sensitive information.
You make an excellent point, Coriy!.
Thanks for the article. :]
Don’t use Chrome or Edge – period!
I don’t use any spell checking in a browser, or autocorrect, or any kind of autocomplete – either in text entry forms or in the URL bar. Almost all that input is likely to be phoned home to google’s (or MS’s) servers according to academic research into browser phone-home behavior.
I spell fairly well and I don’t mind looking up a term in an online dictionary if I’m unfamiliar with its spelling. For longer writing, like some of the how-to’s that I write on different tech forums, I’ll often do the writing in a word processor and use its spell and grammar checking tools to make sure things look readable before I post them.
I agree with John B. – don’t use Chrome or Edge – period. If you must use a chromium-based browser, the academic studies prefer Brave for privacy, and the free software advocates prefer Ungoogled Chromium for strippping out google’s proprietary blobs of code. Either of them would be miles better from a privacy perspective than Chrome or Edge.
Just look at the commenter’s on social media. Spell checker’s are what have enabled there level of literacy and let them loose there ignorance. Thats how Twitter gained it’s popularity too.
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.