Google Project Zero security researcher Tavis Ormandy, who’s also known for finding multiple vulnerabilities in LastPass and other applications, uncovered a bug in the popular Grammarly Chrome extension (22 million users) that exposed authentication tokens to all websites the users may have visited.
A High Severity Bug
Ormandy called this vulnerability a “high severity bug” because it would allow any website access to all your documents, history, logs, and all other data used by the the Grammarly (opens in new tab) Chrome extension. Ormandy noted the bug is quite severe because users wouldn’t expect that visiting a website would give it permission to access data you’ve typed into another website.
The Grammarly bug was subject to a 90-day disclosure policy, but Grammarly was able to fix the bug much sooner than that, once Ormandy disclosed it to the company. According to Grammarly, Ormandy disclosed the bug on Friday, and through collaboration with the Google team of security researchers, the company was able to fix it within a few hours.
Grammarly added that it has no evidence that user information was compromised for the time this bug existed. Of course, that doesn’t necessarily mean no user was compromised--just that the company has no evidence of that happening. Grammarly noted that the bug potentially affected text saved in its editor.
Grammarly then reassured its users about the impact of the bug:
This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the browser extension.The bug is fixed, and there is no action required by our users. We’re continuing to monitor actively for any unusual activity.
Users of extensions such as Grammarly, which tend to have access to data on all websites you visit in order to serve their main function (such as correcting what you type), should be aware that these extensions come with certain risks.
These risks could include bugs such as the one we saw today, where a website could see all of that Chrome extension's data. The more data an extension can access, the worse the impact of unauthorized access could be. Alternatively, attackers could hack the servers of these services, and the outcome would be similarly bad or worse. The attackers would have access to all the data that extension has stored or can currently access.