Grammarly has fixed a vulnerability that exposes users’ documents created and saved within the platform’s Editor interface.
Tavis Ormandy, a Google computer security researcher who discovered a memory disclosure bug in CloudFlare’s reverse-proxy systems in February 2017, wrote up a security advisory about the Grammarly flaw on 2 February. In it, the researcher doesn’t mince his words when describing the impact of the weakness:
The Grammarly chrome extension (approx ~22M users) exposes it’s auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data. I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations.
Launched in late 2009, Grammarly is a platform that instantly checks English language writing for grammatical and spelling errors. Users can install a browser extension for the platform so that it can enhance their writing across all websites. Towards that end, the platform uses authentication tokens, browser cookies which are set by a server and sent back to the program’s software with every transaction an authenticated user completes.
Upon notifying the platform of the security issue, Ormandy was surprised by the speed with which Grammarly issued a fix:
Grammarly had fixed the issue and released an update to the Chrome Web Store within a few hours, a really impressive response time. I’ve verified that Mozilla now also has the update, so users should be auto-updated to the fixed version. I’m calling this issue fixed.
The platform confirmed on Twitter that it’s issued a patch for the vulnerability:
We were made aware of a security issue with our extension on Friday and worked with Google to roll out a fix within a few hours.
Thank you to @taviso and the team for finding and educating the community about the complexities of this bug. We will provide more updates soon.
— Grammarly (@Grammarly) February 5, 2018
It went on to say that it “has no evidence that any user information was compromised by this issue.”
Users should verify they’re running the latest versions of the service on Chrome (14.826.1446) and Firefox (8.804.1449).