Spelling and grammar checker Grammarly exposed users' documents, thanks to a vulnerability in its browser exte...
Google Project Zero researcher Tavis Ormandy discovered the Grammarly vulnerability and disclosed it on Feb. 2, 2018. The browser extensions for Google Chrome and Mozilla Firefox exposed its authentication tokens to websites, enabling any website to log in to a user's account and access all documents, history, logs and other data.
"I'm calling this a high severity bug because it seems like a pretty severe violation of user expectations," Ormandy said in his report. "Users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites." Ormandy noted that the Grammarly browser extension for Chrome has approximately 22 million users.
The Grammarly vulnerability only affected text saved in the Grammarly Editor tool. The Keyboard tools, the Microsoft Office add-in for Grammarly or any text entered on websites while using the Grammarly browser extension were not affected, according to the company.
Because of this Grammarly vulnerability, an attacker could have accessed authentication tokens by getting the targeted user to visit a malicious website.
"If your authentication cookie leaked out to someone else, they could add it into their own web requests and the server would treat them as if they were you, because the server would assume that the imposter must already have supplied your username and password," Paul Ducklin, senior technologist at Sophos, explained in a blog post.
Ducklin further explained that browsers like Chrome and Firefox are supposed to connect to servers using HTTPS, which is meant to keep authentication tokens secret and thus prevents token theft or network eavesdropping. The browser is then supposed to enforce a same-origin policy that ensures cookies from one website are only ever used on that website.
"Unfortunately -- or perhaps fortunately, given that no one else seems to have found this before him -- Ormandy realized that the Grammarly extension didn't enforce the same-origin policy properly," Ducklin wrote.
Ormandy reported the vulnerability to Grammarly on Friday, and the company responded promptly.
We were made aware of a security issue with our extension on Friday and worked with Google to roll out a fix within a few hours.— Grammarly (@Grammarly) February 5, 2018
Thank you to @taviso and the team for finding and educating the community about the complexities of this bug. We will provide more updates soon.
"Grammarly had fixed the issue and released an update to the Chrome Web Store within a few hours, a really impressive response time," Ormandy wrote on the Project Zero forum.
Users of the Grammarly browser extension don't need to take any action to fix the issue, since the browser extensions have been automatically patched. There have been no reported exploitations of the Grammarly vulnerability and the company said there's "no evidence that any user information was compromised by this issue."