Grammarly extension bug could have exposed data to malicious actors

Grammarly earlier this weekend was found to suffer from a bug that exposed user data to any website it was used on. This was done by exposing its authorisation token to the sites, meaning any site which a Grammarly user used the extension on could in theory login to the users account and gain access to their account data and typed up documents (if any).

It was reported by Google’s Project Zero team, and disclosed only after the Grammarly team had the chance to push out updates resolving the error.

Vulnerability in Grammarly extension fixed (20M users), users should be auto-updated to a fixed version. Auth tokens were accessible to websites, allowing any website to login to your account and read all your docs. https://t.co/Ydk0JwArYD

— Tavis Ormandy (@taviso) February 5, 2018

The extensions for Chrome and Firefox were quickly patched, while Edge didn’t suffer from the bug in the first place.

In a statement to Gizmodo,  a Grammarly spokesperson confirmed, “The bug is fixed, and there is no action required by Grammarly users.” There were no cases of bad actors using the vulnerability to access user-data.