It turned out that the text for verification is transmitted, including from the input forms containing confidential data, including from the fields containing user names, addresses, emails, passport data and even passwords, if passwords are not limited by a regular tag “”. For example, the problem leads to the sending to the www.googleapis.com passwords in the case of the option to shows the entered password implemented in the Google Cloud (Secret Manager), AWS (Secrets Manager), Facebook, Office 365, Alibaba Cloud and LaStPass. Of the 30 tested well-known sites, including social networks, banks, cloud platforms and online stores, 29 were subject to leakage.
In AWS and Lastpass, the problem has already been promptly solved through adding “Spellcheck = False” to the Input tag. To block data sending on the user side, turn off in the settings of the extended check (section “Languages/section Spell Check/Enhanced Spell Check or Languages/Spelling check/Expanded check, Expanded check is disabled by default).
