Grammarly Contaminated with a High Severity Bug

More embarrassing than just misspelled words - A critical blemish was found in the Chrome and Firefox browser extension of the English language writing-enhancement platform, Grammarly. The bug was nothing a gaping security hole on the Grammarly browser extension, that left about 22 million users’ accounts, including personal documents and records, vulnerable to remote hackers.

Reported on February 2 by Tavis Ormandy of Google Project Zero, the bug is of high severity. According to Tavis, any website that a Grammarly user visits could steal the authentication tokens, which is more than enough to gain access to user's account and take control of everything without permission. And the worst part is that the remote attackers could do this with just 4 lines of JavaScript code. Tavis has also provided a proof-of-concept (PoC) exploit in his vulnerability report explaining how easily a hacker can make use of this serious flaw to steal Grammarly user's access token.

“I am calling this a high severity bug as it seems like a pretty severe violation of user expectations,” Tavis said in his vulnerability report. "Users would never expect that visiting a site gives it permission to access documents or data they have typed into other sites.”

To secure all its users’ data, Grammarly quickly fixed the bug in the Chrome Web Store and Mozilla also confirmed that the Firefox version of the extension also rolled out to the users.

"We're continuing to monitor actively for any unusual activity. The security issue potentially affected text saved in the Grammarly Editor. This high severity bug didn’t affect the Grammarly Keyboard or Grammarly Microsoft Office add-on. The bug is fixed, and there is no action required by Grammarly users," a Grammarly spokesperson said.