Critical Flaw Inwards Grammarly Land Checker Could Allow Attackers Pocket Your Data

Influenza A virus subtype H5N1 critical vulnerability discovered inward the Chrome as well as Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 meg users' accounts, including their personal documents as well as records, vulnerable to remote hackers.

According to Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability on Feb 2, the Chrome as well as Firefox extension of Grammarly exposed authentication tokens to all websites that could live on grabbed past times remote attackers alongside merely 4 lines of JavaScript code.

In other words, whatsoever website a Grammarly user visits could pocket his/her authentication tokens, which is plenty to login into the user's concern human relationship as well as access every "documents, history, logs, as well as all other data" without permission.

"I'm calling this a high severity bug, because it seems similar a pretty severe violation of user expectations," Ormandy said inward a vulnerability report. "Users would non await that visiting a website gives it permission to access documents or information they've typed into other websites."

Ormandy has likewise provided a proof-of-concept (PoC) exploit, which explains how 1 tin easily trigger this serious põrnikas to pocket Grammarly user's access token alongside merely iv lines of code.

This high-severity flaw was discovered on Fri as well as fixed early on Mon morning time past times the Grammarly team, which, according to the researcher, is "a actually impressive reply time" for addressing such bugs.

Security updates are straight off available for both Chrome as well as Firefox browser extensions, which should croak automatically updated without requiring whatsoever activity past times Grammarly users.

Influenza A virus subtype H5N1 Grammarly spokesperson likewise told inward an e-mail that the companionship has no show of users beingness compromised past times this vulnerability.

"Grammarly resolved a safety põrnikas reported past times Google's Project Zero safety researcher, Tavis Ormandy, inside hours of its discovery. At this time, Grammarly has no show that whatsoever user information was compromised past times this issue," the spokesperson said. 

"We're continuing to monitor actively for whatsoever odd activity. The safety lawsuit potentially affected text saved inward the Grammarly Editor. This põrnikas did non behaviour upon the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or whatsoever text typed on websites piece using the Grammarly browser extension. The põrnikas is fixed, as well as at that topographic point is no activity required past times Grammarly users."

Stay tuned for to a greater extent than updates.