A critical vulnerability discovered within the Chrome in addition to Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 million users’ accounts, including their personal documents in addition to records, vulnerable to remote hackers.
In different words, any website a Grammarly user visits could steal his/her authentication tokens, which is actually enough to login into the user’s account in addition to access every “documents, history, logs, in addition to all different data” without permission.
“I’m calling This particular a high severity bug, because the idea seems like a pretty severe violation of user expectations,” Ormandy said in a vulnerability report. “Users would likely not expect that will visiting a website gives the idea permission to access documents or data they’ve typed into different websites.”
Ormandy has also provided a proof-of-concept (PoC) exploit, which explains how one can easily trigger This particular serious bug to steal Grammarly user’s access token with just four lines of code.
This particular high-severity flaw was discovered on Friday in addition to fixed early Monday morning by the Grammarly team, which, according to the researcher, is actually “a truly impressive response time” for addressing such bugs.
Security updates are at This particular point available for both Chrome in addition to Firefox browser extensions, which should get automatically updated without requiring any action by Grammarly users.
A Grammarly spokesperson also told in an email that will the company has no evidence of users being compromised by This particular vulnerability.
“Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery. At This particular time, Grammarly has no evidence that will any user information was compromised by This particular issue,” the spokesperson said.
“We’re continuing to monitor actively for any unusual activity. The security issue potentially affected text saved within the Grammarly Editor. This particular bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension. The bug is actually fixed, in addition to there is actually no action required by Grammarly users.”
Stay tuned for more updates.