What’s more, if users take advantage of the “Show Password” option, then passwords themselves can be transmitted, as well.
The info, potentially anything entered in form fields while these enhanced spell checkers are on, is only sent temporarily to Google, the company said:
“The text typed by the user may be sensitive personal information and Google does not attach it to any user identity and only processes it on the server temporarily. To further ensure user privacy, we will be working to exclude passwords proactively from spell check.”
In addition, turning on Enhanced Spell Checker in Chrome states that “(t)ext that you type in the browser is sent to Google.”
Both Microsoft and Google use company servers to perform the enhanced spellchecks, but in doing so may be opening up attack vectors that users may not be aware of.
You can read more about the research conducted by otto-js in their blog post.