Grammarly Allowed Websites to Read Everything You Typed Online (Private Data, Documents Included)
Grammarly, the popular “writing-enhancement” platform that promises to catch all your typos, forgot to catch its own security typos. Having nearly 22 million users, Grammarly’s Chrome (and potentially Firefox) extension has been exposing user details thanks to a security bug. The company has now fixed this security vulnerability that enabled access to user accounts and their documents.
Google Project Zero‘s Tavis Ormandy discovered this security bug and rated it “high severity”, saying that it exposed authentication tokens to all websites. “The Grammarly chrome extension (approx ~22M users) exposes it’s auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data,” he wrote.
“I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations. Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.
To offer you writing assistance, Grammarly requires access to everything you type. From your social media posts to technical reports, everything is accessed by the extension to be able to catch the typos. However, this also means that any security flaw affecting Grammarly puts user data at risk of exposure.
To its credit, Grammarly fixed the issue and released an update to the Chrome Web Store within a few hours of being contacted about this security vulnerability. The company released a fix earlier today and it should automatically update the extension. It remains unclear if this bug was ever exploited.
“We were made aware of a security issue with our extension on Friday and worked with Google to roll out a fix within a few hours,” the company tweeted. “Thank you to @taviso and the team for finding and educating the community about the complexities of this bug. We will provide more updates soon.”
While an impressive turnaround, the gaping security vulnerability does raise concerns about how much data could have already been exposed. This episode is yet another reminder that no matter how legit a company may be, using browser plugins that get a lot of access almost always results in security nightmares.