Grammarly's flawed Chrome extension exposed users' private documents

The grammar-correcting browser extension is used by about 22 million users.
Written by Zack Whittaker, Contributor
(Image: File photo)

Grammarly has fixed a security bug in its Chrome extension that inadvertently allowed access to a user's account -- including their private documents and data.

Tavis Ormandy, a security researcher at Google's Project Zero who found the "high severity" vulnerability, said the browser extension exposed authentication tokens to all websites.

That means any website can access a user's documents, history, logs, and other data, the bug report said.

"I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations," said Ormandy, because "users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites."

In proof-of-concept code, he explained how to trigger the bug in four lines of code.

More than 22 million users have installed the grammar-checking extension.

Ormandy filed his bug report Friday, subject to a 90-day disclosure deadline -- as is the industry standard. Grammarly issued an automatic update Monday to fix the issue.

Ormandy has in recent months examined several vulnerable web browser extensions. Earlier this year, he found a remote code execution flaw in the Cisco WebEx Chrome extension, and a data-stealing bug in the popular LastPass password manager.

In a statement, a spokesperson for Grammarly confirmed the bug is fixed.

"At this time, Grammarly has no evidence that any user information was compromised by this issue. We're continuing to monitor actively for any unusual activity," the spokesperson said.

Editorial standards