Flaw in Grammarly Browser Extension Exposed User Documents

Flaw in Grammarly Browser Extension Exposed User Documents

Sometimes words are hard, and that’s why some 22 million people have installed the Grammarly extension for Chrome. Grammarly promises to catch your typos and grammatical errors, but for a while, it was also exposing your personal documents to potential snooping by any website you visited. That the sort of breach of trust that can spell doom for a startup.

Grammarly goes beyond a normal spell checker by assessing your sentence structure and word usage. It operates on websites in virtually any text field, but there’s also a dedicated editing interface if you want to go through a larger block of text. Grammarly is popular because it can point out things in your writing that you might never notice yourself. It’s like having a copyeditor living inside your computer, but many of the advanced features require a paid subscription to the service.

The full Grammarly editor is where Grammarly ran into an issue. After entering text into the editor, the flaw made it available to anyone who knew how to look for it. According to Google Project Zero researcher Tavis Ormandy, the extension had a critical bug that exposed the user’s auth token. That’s as good as handing over your user name and password.

With your auth token, a website could log into the Grammarly service as you. That means all your documents saved in Grammarly would be accessible. If you dropped an email to your lawyer or your significant other into Grammarly’s editor, they were hanging out in the open for anyone to snatch. Thankfully, text that you typed in other websites that was merely scanned on the fly by Grammarly was never in jeopardy.

This code demonstrates how a website could pull your auth token from Grammarly.
This code demonstrates how a website could pull your auth token from Grammarly.

To its credit, Grammarly acted quickly when alerted by Project Zero. Developers pushed out an update that patched the security hole that exposed auth tokens in the first place. The company says it has no evidence that any websites exploited this vulnerability to steal data from users. That suggests Tavis Ormandy was the first one to spot the issue, which is very much why Google’s Project Zero exists.

If some online criminal had found this hole before Ormandy, there could have been a lot of upset Grammarly users. That probably would have been the end of Grammarly as a company as well. So, there’s no emergency — you don’t need to run to your computer and nuke Grammarly. Just make sure all your Chrome extensions are set to automatically update.

Continue reading

Intel Launches AMD Radeon-Powered CPUs
Intel Launches AMD Radeon-Powered CPUs

Intel's new Radeon+Kaby Lake hybrid CPUs are headed for store shelves. Here's how the SKUs break down and what you need to know.

Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption
Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption

The Oculus Quest 2 is now available, and it's an improvement over the original in every way that matters. And yet, it's $100 less expensive than the last release. Having spent some time with the Quest 2, I believe we might look back on it as the headset that finally made VR accessible to mainstream consumers.

AMD May Allow Custom RX 6900 XT Cards, Launch Stock May Be Limited
AMD May Allow Custom RX 6900 XT Cards, Launch Stock May Be Limited

There are rumors that Nvidia may not be the only company facing production shortages this holiday season. High-end GPUs might just be very hard to find in general.

Intel Launches New Xe Max Mobile GPUs for Entry-Level Content Creators
Intel Launches New Xe Max Mobile GPUs for Entry-Level Content Creators

Intel has launched a new consumer, mobile GPU — but it's got a very specific use-case, at least for now.