Security hole meant Grammarly would fix your typos, but let snoopers read your private writings

A Google vulnerability researcher has found a gaping security hole in a popular web browser extension, that could have potentially exposed your private writings on the internet.

The Grammarly real-time spelling and grammar checker, which has over seven million daily users, describes itself as all you need to ensure that “everything you type is clear, effective, and mistake-free.”

As someone who is prone to getting muddled over whether to use “less” or “fewer”, or how to spell “accommodation”, I can certainly understand its appeal.

But by constantly looking over your shoulder at everything you type online, you want to be sure that Grammarly is taking proper care over the information it is proof-reading for you.

Perhaps, then, poor spellers around the world should be grateful that vulnerability hunter extraordinaire Tavis Ormandy of Google’s Project Zero group appears to have found what he described as a “high severity bug” before it was uncovered by anybody more malicious.

Ormandy discovered that a simple piece of JavaScript hidden on a malicious website could secretly trick the Grammarly extension for Firefox and Chrome into handing over a user’s authentication token.

With such a token, a malicious hacker could log into your Grammarly account, access Grammarly’s online editor, and unlock your “documents, history, logs, and all other data.”

The good news is that Grammarly responded with impressive speed after being informed of the problem by Ormandy. Even though the Google security researcher gave Grammarly 90 days to fix the issue, it was actually resolved within a few hours – a response time that Ormandy described as “really impressive.”

Grammarly turned to Twitter to reassure users that it had rolled out a patch for the bug, and that exploitation of the vulnerability was limited to text saved in the Grammarly Editor.

“This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the browser extension.”

“The bug is fixed, and there is no action required by our users.”

With an automatic update already rolled out to the Firefox and Chrome extension libraries, chances are that the problem has been fixed before it could be maliciously exploited. All the same, it’s impossible to be 100% certain that Tavis Ormandy was the first person in the world to uncover this particular bug – so it always makes sense to keep your eye open for suspicious activity.

Leave a Reply

Your email address will not be published.