Grammarly, the favored “writing-enhancement” platform that gives catch your entire typos, forgot capture a security typos. Having nearly 22 million users, Grammarly’s Chrome (and potentially Firefox) extension continues to be exposing user details because of a security alarm bug. The provider has fixed this security vulnerability that enabled use of user accounts along with documents.
Google Project Zero‘s?Tavis Ormandy discovered this security bug and rated it “high severity”, stating that it exposed authentication tokens to all or any websites. “The Grammarly chrome extension (approx ~22M users) exposes it’s auth tokens to all websites, therefore any website can login to grammarly.com as you and access any documents, history, logs, and everything other data,” he wrote.
RelatedRussian Hackers Shown to Have Breached into Several German Ministries
“I’m calling video high severity bug, because it seems like a fairly severe violation of user expectations.?Users would not expect that traversing to a website gives it permission to view documents or data they’ve typed into other websites.
To offer you writing assistance, Grammarly requires usage of anything you type. Out of your web 2 . 0 posts technical reports, everything is accessed via the extension so that you can catch the typos. However, this will mean that any security flaw affecting Grammarly puts user data prone to exposure.
To its credit,?Grammarly fixed the problem and released an update to your Chrome Internet store in just a several hours for being contacted in regards to this security vulnerability. The corporation released a fix earlier today and yes it should automatically update the extension. It remains unclear detail bug was ever exploited.
“We were informed about a security alarm issue with our extension on Friday and helped Google to unveil a fix within the hrs,” the organization tweeted. “Thanks a ton to @taviso additionally, the team to find and educating the area with regards to the complexities of your bug. We will provide more updates soon.”
While a remarkable turnaround, the gaping security vulnerability does raise concerns about precisely how much data might have recently been exposed. This episode is yet another reminder that it doesn\’t matter how legit a company could be, using browser plugins that get loads of access typically translates into security nightmares.