A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online

Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words. From a report: The Grammarly browser extension for Chrome and Firefox contained a "high severity bug" that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google's Project Zero. This meant that any website a Grammarly user visited could access the user's "documents, history, logs, and all other data," according to Ormandy. Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences. Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it "has no evidence that any user information was compromised" by the security hole. "We're continuing to monitor actively for any unusual activity," a Grammarly spokesperson said.

Meltdown-related clarification

[CustomSolvers2]

Just in case this point isn't clear to everyone, the famous Meltdown bug (exemplified precisely with an attacker reading in plain text the passwords you type in Chrome) belongs to a completely different level of problems. This article is about the given application/process (for this purpose, a plugin can be considered part of the same application) leaking some of the information which the user stored in it. Meltdown is about a different application/process presumably reading information of the target one (Chrome/plugin in this case) which is stored in the given computer's memory.

A quite descriptive analogy would be forgetting your wallet somewhere vs. someone reading your mind to know where your wallet is. I am not implying that exploiting meltdown is as unlikely as reading someone's mind, but it doesn't seem too easy anyway (not sure though). Anyone wanting to share some insights into all this is welcome to a previous discussion about it.