The Grammarly browser extension exposed the details of approximately 22m users.
Automated copy-editing app Grammarly has issued a fix for users of its Chrome and Firefox browser extensions, which contained a “high-severity bug” that exposed authentication tokens.
Tavis Ormandy, a security researcher at Google’s Project Zero, found the vulnerability in question and said the authentication tokens were exposed to all websites.
Ormandy said: “I’m calling this a high-severity bug, because it seems like a pretty severe violation of user expectations.”
He added: “Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”
Easy access to user accounts
User information could have been compromised manually or by using a script. Ormandy’s post showed four lines of code demonstrating how the user information could be accessed. He wrote: “I verified that is enough to log in to a Grammarly.com account.
“Therefore, any website can log in to Grammarly.com as you and access all your documents, history, logs and all other data.”
Grammarly acts fast to remedy the problem
Ormandy flagged the problem in a forum post on 2 February and, as of today (6 February), Grammarly has pushed updates to the Chrome Web Store and Mozilla. The company’s response time was described by Ormandy as “really impressive” and he declared that the issue was fixed.
In a statement, Grammarly said it worked with Google to issue a fix within a few hours and thanked Ormandy for “educating the community about the complexities of this bug”.
The company said the bug did not affect the Grammarly Keyboard, Microsoft Office add-in or any text typed on websites while the browser extension was in use. There is no requirement for users to install any updates, and monitoring for unusual activity is continuing. No evidence has yet been found to show that the vulnerability was ever exploited.