Grammarly has fixed a vulnerability that exposes users' documents created and saved within the platform's Editor interface. Tavis Ormandy, a Google computer security researcher who discovered a memory disclosure bug in CloudFlare’s reverse-proxy systems in February 2017, wrote up a security advisory about the Grammarly flaw on 2 February. In it, the researcher doesn't mince his words when describing the impact of the weakness:
The Grammarly chrome extension (approx ~22M users) exposes it's auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data. I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations.
Launched in late 2009, Grammarly is a platform that instantly checks English language writing for grammatical and spelling errors. Users can install a browser extension for the platform so that it can enhance their writing across all websites. Towards that end, the platform uses authentication tokens, browser cookies which are set by a server and sent back to the program's software with every transaction an authenticated user completes. Ormandy discovered it's possible to expose Grammarly authentication tokens for all of a user's websites by loading up JavaScript from a third-party website. A digital attacker could then use that code to compromise a user's account and all documents created and saved by the platform contained therein. Upon notifying the platform of the security issue, Ormandy was surprised by the speed with which Grammarly issued a fix:
Grammarly had fixed the issue and released an update to the Chrome Web Store within a few hours, a really impressive response time. I've verified that Mozilla now also has the update, so users should be auto-updated to the fixed version. I'm calling this issue fixed.
The platform confirmed on Twitter that it's issued a patch for the vulnerability: https://twitter.com/Grammarly/status/960621024306868225 It went on to say that it "has no evidence that any user information was compromised by this issue." Users should verify they're running the latest versions of the service on Chrome (14.826.1446) and Firefox (8.804.1449).
