Flaw in Grammarly’s extensions opened user accounts to compromise

Haythem Elmir

A vulnerability in the Grammarly Chrome and Firefox extensions allowed websites to read users’ authentication tokes and use to them to log in to the users’ Grammarly accounts and access all the (potentially sensitive) information held in them.

About the vulnerability

The vulnerability was discovered by Google project Zero researcher Tavis Ormandy, who reported it to Grammarly on Friday.

“I’m calling this a high severity bug because it seems like a pretty severe violation of user expectations. Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites,” Ormandy noted.

He also provided proof-of-concept code for triggering the bug.

By Monday, the company pushed out a new version of the popular extension, with the hole plugged.

“At this time, Grammarly has no evidence that any user information was compromised by this issue. The bug potentially affected text saved in the Grammarly Editor,” the company stated on Tuesday.

“This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the browser extension. The bug is fixed, and there is no action required by our users. We’re continuing to monitor actively for any unusual activity.”

Ormandy praised the company’s swiftness in responding to the report and issuing the fix.

“I’ve verified that Mozilla now also has the update, so users should be auto-updated to the fixed version,” he noted.

The vulnerable Chrome extension has been downloaded by over 10 million users. The Firefox Grammarly extension has over 600,000 users.

To read the original article:




Laisser un commentaire

Next Post

Abusing X.509 Digital Certificates to establish a covert data exchange channel

Researcher at Fidelis Cybersecurity devised a new technique that abuses X.509 Digital Certificates to establish a covert data exchange channel Last year, during the Bsides conference in July 2017, the security researcher at Fidelis Cybersecurity Jason Reaves demonstrated how to covertly exchange data using X.509 digital certificates, now the same expert published the […]