Grammarly has fixed a vulnerability that exposes users’ typos, documents, and other data for all websites with which they’ve used the platform.

Tavis Ormandy, a Google computer security researcher who discovered a memory disclosure bug in CloudFlare’s reverse-proxy systems in February 2017, wrote up a security advisory about the Grammarly flaw on 2 February. In it, the researcher doesn’t mince his words when describing the impact of the weakness:

The Grammarly chrome extension (approx ~22M users) exposes it’s auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data. I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations.

Launched in late 2009, Grammarly is a platform that instantly checks English language writing for grammatical and spelling errors. Users can install a browser extension for the platform so that it can enhance their writing across all websites. Towards that end, the platform uses authentication tokens, browser cookies which are set by a server and sent back to the program’s software with every transaction an authenticated user completes.

Ormandy discovered it’s possible to expose Grammarly authentication tokens for all of a user’s websites by loading up JavaScript from a third-party website. A digital attacker could then use that code to compromise a user’s account and all data stored by the platform contained therein.

Upon notifying the platform of the security issue, Ormandy was surprised by the speed with which Grammarly issued a fix:

Grammarly had fixed the issue and released an update to the Chrome Web Store within a few hours, a really impressive response time. I’ve verified that Mozilla now also has the update, so users should be auto-updated to the fixed version. I’m calling this issue (Read more...)