This site may earn affiliate commissions from the links on this page. Terms of use.

grammarly

Sometimes words are difficult, and that's why some 22 million people have installed the Grammarly extension for Chrome. Grammarly promises to catch your typos and grammatical errors, but for a while, it was also exposing your personal documents to potential snooping past whatever website yous visited. That the sort of breach of trust that can spell doom for a startup.

Grammarly goes beyond a normal spell checker by assessing your judgement structure and discussion usage. It operates on websites in virtually any text field, just there's also a dedicated editing interface if you desire to go through a larger cake of text. Grammarly is popular because it tin can point out things in your writing that you might never notice yourself. It'south like having a copyeditor living inside your calculator, but many of the advanced features crave a paid subscription to the service.

The total Grammarly editor is where Grammarly ran into an issue. Afterwards entering text into the editor, the flaw made information technology bachelor to anyone who knew how to await for it. According to Google Project Zero researcher Tavis Ormandy, the extension had a critical bug that exposed the user's auth token. That's equally good as handing over your user name and password.

With your auth token, a website could log into the Grammarly service as you. That means all your documents saved in Grammarly would be accessible. If you dropped an email to your lawyer or your significant other into Grammarly's editor, they were hanging out in the open up for anyone to snatch. Thankfully, text that you typed in other websites that was just scanned on the fly by Grammarly was never in jeopardy.

This code demonstrates how a website could pull your auth token from Grammarly.

To its credit, Grammarly acted chop-chop when alerted by Projection Nil. Developers pushed out an update that patched the security hole that exposed auth tokens in the first identify. The company says it has no evidence that any websites exploited this vulnerability to steal data from users. That suggests Tavis Ormandy was the outset one to spot the result, which is very much why Google's Projection Cypher exists.

If some online criminal had plant this hole earlier Ormandy, at that place could accept been a lot of upset Grammarly users. That probably would take been the finish of Grammarly as a company likewise. And then, at that place's no emergency — you don't demand to run to your figurer and nuke Grammarly. Just make sure all your Chrome extensions are set to automatically update.