Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words.
The Grammarly browser extension for Chrome and Firefox contained a “high severity bug” that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google’s Project Zero. This meant that any website a Grammarly user visited could access the user’s “documents, history, logs, and all other data,” according to Ormandy.
Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. This bug only affected the Grammarly Editor, according to the company. But if you used it to check the grammar on your sensitive correspondents, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences.
Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it “has no evidence that any user information was compromised” by the security hole. “We’re continuing to monitor actively for any unusual activity,” a Grammarly spokesperson said.
The good news is, Grammarly quickly fixed the bug in the Chrome Web Store in what Ormandy called a “really impressive response time.” Ormandy says Mozilla confirmed the Firefox version of the extension also rolled out to users, and the updates should have been automatic.
“The bug is fixed, and there is no action required by Grammarly users,” the company spokesperson said.
Still, although the Grammarly bug was limited in its scope, let this be a reminder that giving any browser plugin the ability to access literally everything you type online could leave you totally fcuked.
Update, 10:08pm: A Grammarly spokesperson told Gizmodo in an email that it has no evidence of users being compromised by the vulnerability.
Update, Feb. 6, 4:30pm: Grammarly’s Michael Mager said in an email to Gizmodo that this is incorrect, as the bug “allowed access only to the user documents created and saved within the Grammarly Editor interface, which is available only when a user is logged in at Grammarly.com”
Mager explains: “On Grammarly.com there is no way to view texts that were typed in any other Grammarly product, such as text written on other websites while using the extension. Therefore, this bug was limited to the documents in the Grammarly Editor and did not affect any text typed while using the other products.”
We’ve updated this piece with the new information.
Correction: A previous version of this article’s headline stated that the bug could have allowed websites to access “everything you wrote online.” The bug in fact only affected text entered in the Grammarly Editor. The headline has been updated to reflect this new information. We regret the error.