2 min read

Security hole meant Grammarly would fix your typos, but let snoopers read your private writings

Graham CLULEY

February 06, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Security hole meant Grammarly would fix your typos, but let snoopers read your private writings

A Google vulnerability researcher has found a gaping security hole in a popular web browser extension, that could have potentially exposed your private writings on the internet.

The Grammarly real-time spelling and grammar checker, which has over seven million daily users, describes itself as all you need to ensure that “everything you type is clear, effective, and mistake-free.”

As someone who is prone to getting muddled over whether to use “less” or “fewer”, or how to spell “accommodation”, I can certainly understand its appeal.

But by constantly looking over your shoulder at everything you type online, you want to be sure that Grammarly is taking proper care over the information it is proof-reading for you.

Perhaps, then, poor spellers around the world should be grateful that vulnerability hunter extraordinaire Tavis Ormandy of Google’s Project Zero group appears to have found what he described as a “high severity bug” before it was uncovered by anybody more malicious.

Ormandy discovered that a simple piece of JavaScript hidden on a malicious website could secretly trick the Grammarly extension for Firefox and Chrome into handing over a user’s authentication token.

With such a token, a malicious hacker could log into your Grammarly account, access Grammarly’s online editor, and unlock your “documents, history, logs, and all other data.”

The good news is that Grammarly responded with impressive speed after being informed of the problem by Ormandy. Even though the Google security researcher gave Grammarly 90 days to fix the issue, it was actually resolved within a few hours – a response time that Ormandy described as “really impressive.”

Grammarly turned to Twitter to reassure users that it had rolled out a patch for the bug, and that exploitation of the vulnerability was limited to text saved in the Grammarly Editor.

“This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the browser extension.”

“The bug is fixed, and there is no action required by our users.”

With an automatic update already rolled out to the Firefox and Chrome extension libraries, chances are that the problem has been fixed before it could be maliciously exploited. All the same, it’s impossible to be 100% certain that Tavis Ormandy was the first person in the world to uncover this particular bug – so it always makes sense to keep your eye open for suspicious activity.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

2 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read