Grammarly bug lets snoops read users data

SAN FRANCISCO – Famous copyediting extension for Chrome and Firefox Grammarly faces a major bug that inadvertently allowed access to a user’s account — including their private documents and data.

Tavis Ormandy, a security researcher at Google’s Project Zero who found the “high severity” vulnerability, said the browser extension exposed authentication tokens to all websites, meaning that any website can access a user’s documents, history, logs, and other data, the bug report said.

“I’m calling this a high severity bug because it seems like a pretty severe violation of user expectations, users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”

The Grammarly team has quickly patched it up and has already auto-updated the extension used by over 20 million users.

More from this category

Advertisment

Advertisment

Follow us on Facebook

Search