A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online

Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words. From a report: The Grammarly browser extension for Chrome and Firefox contained a "high severity bug" that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google's Project Zero. This meant that any website a Grammarly user visited could access the user's "documents, history, logs, and all other data," according to Ormandy. Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences. Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it "has no evidence that any user information was compromised" by the security hole. "We're continuing to monitor actively for any unusual activity," a Grammarly spokesperson said.

seems like a feature

Based on the adverts I've seen for this service, it looks like it is first-and-foremost a browser-based keylogger anyway, with the copy editing features just being the hook to get people to install (and pay?) for the 'service'. The 'bug' is probably just that actors other than paying companies and intelligence agencies can get free access to the data.

Re:seems like a feature

Ever notice that other stuff seems well programmed in general, but when it comes to security, stuff is "accidentally" configured to be leaky... stuff very basic to security that anyone would know? Everything from not sending passwords in plaintext to mismanaging authentication tokens, to having S3 buckets public. Basic stuff. If this were a physical lock, it would be like Schlage shipping high security mortise hardware without pins in the lock, or Abloy locks missing sidebars so a screwdriver can turn them.

Even though the GDPR is mainly a knee-jerk anti-US law to give the EU judges more "credibility" by attacking foreign companies, it might be a good thing overall, should they actually bother to keep their own house clean and enforce it domestically. It would make the consequences for stupid stuff like this (which is definitely no accident) severe enough that products don't ship unless they actually had some QA in security.

Re:seems like a feature

[CastrTroy]

This is basically a symptom of a problem that exists everywhere. Most people can learn how to program. In school they teach you how to program. But it's an entirely other type of skill to program something that can't be broken by malicious actors. Most people learn how to code in a very safe environment, and don't ever have their code attacked or challenged until much later into their career. It's hard enough for most companies to find developers that will check user input (does this number field actually contain a number), never mind checking for users who are actively trying to attack the system.

It's kind of a problem that's only found in the computer industry. Cars don't stop people from crashing them if they are actively trying to crash them, or some other person is actively trying to run them off the road. They can put in a few basic features like seat belts and airbags to help the passengers, but if somebody actively wants to harm the people in the car, then there's a good chance they will be able to do it.

Re:seems like a feature

But... but... those ads said if I write online I NEED it! Because apparently schools teach nothing and only a browser extension can let us write words good ish like.

Re:seems like a feature

[Carewolf]

Based on the adverts I've seen for this service, it looks like it is first-and-foremost a browser-based keylogger anyway, with the copy editing features just being the hook to get people to install (and pay?) for the 'service'. The 'bug' is probably just that actors other than paying companies and intelligence agencies can get free access to the data.

Sounds like what Google themselves are offering in syncing with your phones. They also record and track everything you write on the internet, but it isn't spyware, it is a feature!

Re: seems like a feature

But why did they name it so retardedly?

Re:seems like a feature

But... but... those ads said if I write online I NEED it! Because apparently schools teach nothing and only a browser extension can let us write words good ish like.

+1

Re: seems like a feature

[easyTree]

To appeal to their target audience?

(*) Not excusing myself, Grammar and I are not on best terms :D

Re:seems like a feature

Oh, supposedly it's much more fun than that. From what I've gathered, the US company is a front for a Ukranian company, and yes, they get everything you type, passwords, etc.

Re:seems like a feature

[Cajun+Hell]

But it's an entirely other type of skill to program something that can't be broken by malicious actors.

Early teacher: "Garbage in, garbage out."

Real life need: "Whatever in, never-fucking-ever garbage out. Output must always be correctly formed, even if that means it's blank or otherwise useless."

Re:seems like a feature

"Never attribute to malice that which is adequately explained by stupidity." -- Robert J. Hanlon.

Not even stupidity necessarily, as it turns out that security is actually hard, and even "competent" people who write software with the best of intentions can produce code with glaring holes that don't get plugged or discovered for years. Just have a look at nearly every piece of software that has ever existed for an example of this.

While I feel fairly comfortable categorizing the vast majority of people who use this software as dipshits, I lack familiarity with the creators so I can't speak to their intelligence.

Re:seems like a feature

You can write more secure code but if you think you can write code that can't be broken, you're dreaming. People are always coming up with new ways to break code.

Re:seems like a feature

[cascadingstylesheet]

Based on the adverts I've seen for this service, it looks like it is first-and-foremost a browser-based keylogger anyway, with the copy editing features just being the hook to get people to install (and pay?) for the 'service'. The 'bug' is probably just that actors other than paying companies and intelligence agencies can get free access to the data.

Sounds like what Google themselves are offering in syncing with your phones. They also record and track everything you write on the internet, but it isn't spyware, it is a feature!

We trust all kinds of software with everything, or a reasonable approximation of everything, that we type. E.g. Office365, Google ...

Re:seems like a feature

Well, your post is gooder than mine. But the browser extension, Grammarly, could be goodest in english.

Re:seems like a feature

Exactly! In fact, using it while transacting with cryptocoins is dangerous. Just like the previous article claiming he got hacked on his smarthpone and losing thousands of dollars. Lol, i mean, who the hell trusts their smartphone is plain stupid. All types of spying is enabled on smartphones. It is a god damned black box you don't know if what you type are all uploaded to mothership.

Wasn't WebExtensions supposed to protect us?!

Firefox recently switched to the WebExtensions model for browser extensions, which is basically Firefox's imitation of Chrome's extension system.

Firefox 57, which was released in the middle of November 2017, was hugely disruptive. It broke nearly all of Firefox's existing extensions, and worst of all, there are some existing extensions that couldn't even be reimplemented properly because WebExtensions is so crippled and limited.

The crippling of Firefox's extension system, which rendered Firefox nearly useless for many power users, was justified by saying that it made Firefox's users "safer". Of course, many sensible Firefox users were skeptical of these claims.

I think that this incident just goes to show that the Firefox users who questioned the security claims being made about WebExtensions were absolutely correct.

So now Firefox is not only crippled and much less useful than it was just a few months ago, but we haven't even realized any security gains from the switch over to the extension system that imitates Chrome's approach.

The Firefox 57 debacle was already bad enough, but this incident makes it even worse than it already was, I think.

Re:Wasn't WebExtensions supposed to protect us?!

How would this vulnerability have been prevented by a xul based extension that couldn't be done with a WebEx extension?

Re:Wasn't WebExtensions supposed to protect us?!

If you bother to read the actual bug, rather than just go on your sensationalist screed, then you'd know that this ISN'T a bug in Firefox (or Chrome), it's a bug in Grammarly's addon that exposes your Grammarly info, not "everything in existence in your browser history" or something.

In other words, this bug in limited to the addon and Grammarly, and WebExtensions have kept it from being as bad as it could have been if they were using XUL instead (where *everything* in your browsing data could have potentially been fair game).

So what I'm trying to say here is simply that you're full of shit, and making a very poor showing of the case you're trying to present. Only people who have already equally decided that "Mozilla and Firefox 57 are terrible no matter what the truth really is" are going to entertain such ignorant, self-serving, uninformed drivel.

Re:Wasn't WebExtensions supposed to protect us?!

What difference does that make?

If both XUL and WebExtensions extensions can behave in this way, then both are equal in that respect.

But security is only part of the picture.

Another big part is utility.

When it comes to utility, XUL has a massive advantage over WebExtensions, since WebExtensions extensions are so limited in what they can do.

So here are our two scenarios:

1) XUL: Some security problems, but also extremely powerful and versatile.

2) WebExtensions: Some security problems, but very limited.

We're better off going with XUL, because at least we get utility.

With WebExtensions we just get security problems, and very limited utility.

XUL gives us at least one upside, even if there is some downside.

WebExtensions gives us two downsides, and from what I've seen of it so far, no upsides.

Re:Wasn't WebExtensions supposed to protect us?!

Can somebody please mod down the parent comment? It's very naive and wrong-headed.

Your argument amounts to this: "It's not Windows 98's fault that it has limited security controls and so it's easily compromised by various forms of malware! It's a bug with the malware that the malware does bad things!"

Face it, you're wrong, and your argument is junk.

If browsers like Chrome and Firefox want to pretend to be operating systems, then they need to grow up like Windows eventually did and they need to improve their security so that they aren't exploited by extensions that go bad.

We shouldn't excuse Windows 98 for being exploitable, and we shouldn't excuse Chrome or Firefox, either.

Clearly WebExtensions isn't the sort of security controls that are needed, as both Chrome and Firefox were affected in this case.

Stop making excuses for poor security.

Re:Wasn't WebExtensions supposed to protect us?!

Listen to yourself for a hot second here. You're basically telling people that:
- it's the browser's fault that an addon can't tell between an addon intentionally giving away its own information or mistakenly giving it away.
- an addon mistakenly giving away its own information is somehow giving away OTHER information, which it did not do.

In addition, you're telling others to downmod me for pointing out both of your inane mistakes, which are painfully clear to anyone who has ever written software: the computer/OS/browser CANNOT magically tell if you are using the wrong API for a job, or using it incorrectly. The onus is on YOU to use things properly, as Grammarly quickly did when they spotted their silly mistake and patched their addons to use the messaging APIs correctly (that is, the ones that the browsers provided for them already).

Now, if your actual unstated argument is that "addons shouldn't be able to pass such information to pages at all" then you've done a piss poor job of articulating that, because you acted like the older Firefox addon system (which was vastly less secure and more permissive than this one) was somehow "better". If you want addons to be able to do useful work, you have to accept that they can also screw up in equally useful ways (to malicious actors).

Re:Wasn't WebExtensions supposed to protect us?!

1) XUL: Some security problems that can compromise the entire system, but also extremely powerful and versatile.

2) WebExtensions: Some security problems, but very limited.

FTFY

one big keyloger

for those that can spell

Extensions

One more reason NOT to use extensions. Browsers are already insecure enough as it is.

A full circle

From malware applications in operating systems to malware extensions in web browsers - we've come full circle. The browser is now the OS inside another OS.

I'm eagerly awaiting full-blown antivirus programs for web browsers since we obviously can't trust the Walled Garden(r) to protect us.

Meltdown-related clarification

[CustomSolvers2]

Just in case this point isn't clear to everyone, the famous Meltdown bug (exemplified precisely with an attacker reading in plain text the passwords you type in Chrome) belongs to a completely different level of problems. This article is about the given application/process (for this purpose, a plugin can be considered part of the same application) leaking some of the information which the user stored in it. Meltdown is about a different application/process presumably reading information of the target one (Chrome/plugin in this case) which is stored in the given computer's memory.

A quite descriptive analogy would be forgetting your wallet somewhere vs. someone reading your mind to know where your wallet is. I am not implying that exploiting meltdown is as unlikely as reading someone's mind, but it doesn't seem too easy anyway (not sure though). Anyone wanting to share some insights into all this is welcome to a previous discussion about it.

Re:You ARE Safe - There is NO Collusion

To be fair, Trumps's aides and campaign staff probably kept him as ignorant as possible, for fear of him revealing everything they did in braggart tweets.

Just a Foreshadowing

[forkfail]

This is nothing.

Just wait till Alexa throws her party.

That'll be where the real fun is at.

Re:Just a Foreshadowing

Start the party early with multiple talk radio stations in the background upsampled to ultrasonic frequencies.

Re:Just a Foreshadowing

Will cheap standard speakers render ultrasound properly and will they do it without damaging themselves?

Re:Just a Foreshadowing

I'm sure it's coming soon.

Maybe they should call their product

Pwn3dly

So glad that they got this fixed

[Zontar_Thing_From_Ve]

I am just so relieved that this commercial browser extension that effects, by my rough count, approximately 1 out of every 500 people on earth (assuming Grammarly's user counts are accurate) and offers a feature that just about everybody has no use for at all has been fixed.

Re:So glad that they got this fixed

[cascadingstylesheet]

I am just so relieved that this commercial browser extension that effects, by my rough count, approximately 1 out of every 500 people on earth (assuming Grammarly's user counts are accurate) and offers a feature that just about everybody has no use for at all has been fixed.

A browser extension used by 1/500 people on earth??? That's pretty awesome market penetration.

Why can a plugin even do that?

[Aristos+Mazer]

Why can a plug-in even reach all the authentication tokens? Shouldn't it be only able to reach its own data? Doesn't this seem like a bug more in Firefox than in Grammerly? It sounds like a sandbox violation.

Re:Why can a plugin even do that?

Bad summary. If you read the article or bug report you'd know that the bug is Grammarly-specific. It was their tokens that were leaking, and your Grammarly login (and hence related Grammarly account info, like docs) that were being leaked.

I also note that you only mention Firefox, not Chrome, though both versions were affected, implying that you didn't really read very closely or inspect the primary source. That would also have saved you and I this effort, even if the summary is typically horrible.

Extention power

users want powerful extentions (that means XUL) and they want security. Will browsers keep their users safe or will they do a Mr Robot on their data.

NSA response

[Khashishi]

Egads, foiled again!

Re:NSA response

Egads, foiled again!

The NSA is never foiled. (\-|-/)

My eyes, they bleed

Considering Grammarly is advertised as a way for millennials to convert their horrific lack of grammar, spelling, and general knowledge of language to something approaching professional correspondence, who would *want* to read the raw text from before it was corrected? That's just masochism.

Ironic

[Maury+Markowitz]

"A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online"

Good thing the only place I used it was writing Wikipedia articles then.

Because the NSA/FancyBear/Jews leaves evidence

..of their activites all the time right?

Luckily...

Luckily I have perfect grammar... And I don't need any thing like this... So glad.

Re:You ARE Safe - There is NO Collusion

Also he phones people in his social circles in New York and Florida which may be where some of the leaks came from.

Why does this exist?

[wardrich86]

Isn't this why we take English lessons in school? I suppose it could be helpful for ESL folk, but it seems like such a niche service...

Re:Why does this exist?

And some of us are experts at programming who have studied the field for decades, yet compilers and static analysis tools are always finding errors in our code (and many still go unnoticed). I guess we don't need those analysis tools, either, we should just try harder and hope for the best?

Re: Why does this exist?

Because writing code and writing a sentence are the same things. LUL.

Yeah...

emails to your attorney

Yeah, grownups writing emails to their attorney aren't using a webmail client, and don't have this crap installed anyway.

\o/

[easyTree]

t) *sound of shredder going into standby*

t+1)

the company told Gizmodo in an email that it "has no evidence that any user information was compromised"

Use locally installable technology: LanguageTool

[DrYak]

Based on the adverts I've seen for this service, it looks like it is first-and-foremost a browser-based keylogger anyway, with the copy editing features just being the hook to get people to install (and pay?) for the 'service'.

Yup, I find it personally disturbing that people will let some shady 3rd party unknown server somewhere in Ukraine access (for "proof reading") every single thing they type online.

You're better off using some technology that can be installed locally (or on your own-controlled servers):

e.g.: LanguageTool
- it has a webextension
- it can be downloaded as a stand-alone version.
(- and of course, you can point the extension to the URL of your stand-alone server)

(both of the above are Free/Libre OpenSource Software, so auditable against nefarious code)

TEXTAREA

[DrYak]

The plugin is a proof-reading tool.
It makes all the nice colored wavy line under your mistakes.

It works in an TEXTAREA> <INPUT TYPE="text"> etc.

This particular plug-in doesn't do the proof reading it self,
it sends the text-to-be-corrected to some cloud server where the actual proof reading algorithms run.

So for the plugin to work (and colored wavy line to appear), the plugin needs to send everything you type out of your computer.

It's basically a giant keylogger - BY DESIGN.

It's just that some attackers have found a way to tap into the traffic and benefit from the built-in key-loging too.

But it's the whole design of Grammarly which is flawed to begin with.

They are the same thing

The grammar/syntax is just much more limited that most languages. Any programming book is just a series of instructions to teach your meat computer how to program.