SAN FRANCISCO – Famous copyediting extension for Chrome and Firefox Grammarly faces a major bug that inadvertently allowed access to a user’s account — including their private documents and data.
Tavis Ormandy, a security researcher at Google’s Project Zero who found the “high severity” vulnerability, said the browser extension exposed authentication tokens to all websites, meaning that any website can access a user’s documents, history, logs, and other data, the bug report said.
“I’m calling this a high severity bug because it seems like a pretty severe violation of user expectations, users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”
The Grammarly team has quickly patched it up and has already auto-updated the extension used by over 20 million users.