Chrome Browser has an issue with sending sensitive data to Google's servers when Enhanced Spell Checker mode is enabled, which involves checking using an external service. The issue also appears in the Edge browser when using the Microsoft Editor add-on.
It turned out that the text for verification is transmitted, among other things, from input forms containing confidential data, including from fields containing usernames, addresses, email, passport data, and even passwords, if the password input fields are not limited to the regular tag " ". For example, the problem causes passwords to be sent to the www.googleapis.com server if the option to show the entered password is enabled, implemented in Google Cloud (Secret Manager), AWS (Secrets Manager), Facebook, Office 365, Alibaba Cloud and LastPass services. Of the 30 well-known sites tested, including social networks, banks, cloud platforms and online stores, 29 were leaked.
In AWS and LastPass, the problem has already been quickly resolved by adding the "spellcheck=false" parameter to the "input" tag. To block sending data on the user's side, disable advanced check in the settings (section "Languages/Spell check/Enhanced spell check" or "Languages/Spell check/Advanced check", advanced check is disabled by default).
Source: opennet.ru