Most major websites are sending Google and Microsoft sensitive data, including date of birth, email addresses, and even passwords – is your website one of them?
The problem
If a user enters data into a form input field, Chrome and Edge browsers have an enhanced spell check feature which sends the unknown word back to a central server (unencrypted).
These unknown words could contain personal data or passwords. Once sent it is unclear who has access to the data or how securely the information is stored.
If you manage a website it is your responsibility to protect your users data. Stopping PII (personal identifiable information) and passwords leaking to a 3rd party should be a top priority.
If the security issue wasn’t enough, auto spell check also creates an odd user experience. Seeing a red line under unique answers like a username is unnecessary and potentially confusing for users.
The solution
To fix this data leak on your website is super simple. For any input field which doesn’t need spellcheck just add spellcheck=”false” to the input field. This change will stop spell check working on that individual input field.
For example the code for a username input field would look something like this:
<div>
<label for="username">Username:</label>
<input type="text" spellcheck="false" id="username" name="username">
</div>
By default you should add spellcheck=”false” to every input field and only allow spell check by exception.
For example a user might find it useful and expect to have spell check on a comments field. But fields which include PII should always have spell check disabled such as:
- National Insurance Number
- Passport number
- Name
- Driver’s license number
- Phone number
- Username
- Password
Final thoughts
This probably isn’t a major issue (presuming you trust Microsoft and Google) but just knowing the problem exists should be enough of a reason to make the change.
My site, just like many other websites, has been affected by this issue. My next job is to apply the fix.
The spell check issue was discovered by Co-founder & CTO for otto-js, Josh Summitt. You can read Josh’s full article ‘Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords’.
