A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online

Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words. From a report: The Grammarly browser extension for Chrome and Firefox contained a "high severity bug" that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google's Project Zero. This meant that any website a Grammarly user visited could access the user's "documents, history, logs, and all other data," according to Ormandy. Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences. Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it "has no evidence that any user information was compromised" by the security hole. "We're continuing to monitor actively for any unusual activity," a Grammarly spokesperson said.

seems like a feature

Based on the adverts I've seen for this service, it looks like it is first-and-foremost a browser-based keylogger anyway, with the copy editing features just being the hook to get people to install (and pay?) for the 'service'. The 'bug' is probably just that actors other than paying companies and intelligence agencies can get free access to the data.

Re:seems like a feature

[CastrTroy]

This is basically a symptom of a problem that exists everywhere. Most people can learn how to program. In school they teach you how to program. But it's an entirely other type of skill to program something that can't be broken by malicious actors. Most people learn how to code in a very safe environment, and don't ever have their code attacked or challenged until much later into their career. It's hard enough for most companies to find developers that will check user input (does this number field actually contain a number), never mind checking for users who are actively trying to attack the system.

It's kind of a problem that's only found in the computer industry. Cars don't stop people from crashing them if they are actively trying to crash them, or some other person is actively trying to run them off the road. They can put in a few basic features like seat belts and airbags to help the passengers, but if somebody actively wants to harm the people in the car, then there's a good chance they will be able to do it.

Re:seems like a feature

But... but... those ads said if I write online I NEED it! Because apparently schools teach nothing and only a browser extension can let us write words good ish like.

Just a Foreshadowing

[forkfail]

This is nothing.

Just wait till Alexa throws her party.

That'll be where the real fun is at.

NSA response

[Khashishi]

Egads, foiled again!

TEXTAREA

[DrYak]

The plugin is a proof-reading tool.
It makes all the nice colored wavy line under your mistakes.

It works in an TEXTAREA> <INPUT TYPE="text"> etc.

This particular plug-in doesn't do the proof reading it self,
it sends the text-to-be-corrected to some cloud server where the actual proof reading algorithms run.

So for the plugin to work (and colored wavy line to appear), the plugin needs to send everything you type out of your computer.

It's basically a giant keylogger - BY DESIGN.

It's just that some attackers have found a way to tap into the traffic and benefit from the built-in key-loging too.

But it's the whole design of Grammarly which is flawed to begin with.