A critical vulnerability discovered from the Chrome along with Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 million users’ accounts, including their personal documents along with records, vulnerable to remote hackers.
In some other words, any website a Grammarly user visits could steal his/her authentication tokens, which is usually enough to login into the user’s account along with access every “documents, history, logs, along with all some other data” without permission.
“I’m calling This kind of a high severity bug, because the idea seems like a pretty severe violation of user expectations,” Ormandy said in a vulnerability report. “Users would certainly not expect of which visiting a website gives the idea permission to access documents or data they’ve typed into some other websites.”
Ormandy has also provided a proof-of-concept (PoC) exploit, which explains how one can easily trigger This kind of serious bug to steal Grammarly user’s access token with just four lines of code.
This kind of high-severity flaw was discovered on Friday along with fixed early Monday morning by the Grammarly team, which, according to the researcher, is usually “a definitely impressive response time” for addressing such bugs.
Security updates are currently available for both Chrome along with Firefox browser extensions, which should get automatically updated without requiring any action by Grammarly users.
A Grammarly spokesperson also told in an email of which the company has no evidence of users being compromised by This kind of vulnerability.
“Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery. At This kind of time, Grammarly has no evidence of which any user information was compromised by This kind of issue,” the spokesperson said.
“We’re continuing to monitor actively for any unusual activity. The security issue potentially affected text saved from the Grammarly Editor. This kind of bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension. The bug is usually fixed, along with there is usually no action required by Grammarly users.”
Stay tuned for more updates.