Flaw in Grammarly’s extensions opened user accounts to compromise

A vulnerability in the Grammarly Chrome and Firefox extensions allowed websites to read users’ authentication tokes and use to them to log in to the users’ Grammarly accounts and access all the (potentially sensitive) information held in them.

grammarly vulnerability

About the vulnerability

The vulnerability was discovered by Google project Zero researcher Tavis Ormandy, who reported it to Grammarly on Friday.

“I’m calling this a high severity bug because it seems like a pretty severe violation of user expectations. Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites,” Ormandy noted.

He also provided proof-of-concept code for triggering the bug.

By Monday, the company pushed out a new version of the popular extension, with the hole plugged.

“At this time, Grammarly has no evidence that any user information was compromised by this issue. The bug potentially affected text saved in the Grammarly Editor,” the company stated on Tuesday.

“This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the browser extension. The bug is fixed, and there is no action required by our users. We’re continuing to monitor actively for any unusual activity.”

Ormandy praised the company’s swiftness in responding to the report and issuing the fix.

“I’ve verified that Mozilla now also has the update, so users should be auto-updated to the fixed version,” he noted.

The vulnerable Chrome extension has been downloaded by over 10 million users. The Firefox Grammarly extension has over 600,000 users.

UPDATE (February 7, 2018):

Grammarly’s Michael Mager reached out to explain that the authentication tokens allowed access only to the user documents created and saved within the Grammarly Editor interface, which is available only when a user is logged in at Grammarly.com.

“On Grammarly.com there is no way to view texts that were typed in any other Grammarly product, such as text written on other websites while using the extension. Therefore, this bug was limited to the documents in the Grammarly Editor and did not affect any text typed while using the other products,” he added.