Grammarly Web Extension Hit By Data-Leak Flaw

Grammarly, with an installed base of tens of millions, has patched a bug that left users’ data exposed to malicious third-party websites

Grammarly, a grammar-checking service that makes popular add-ons for most major browsers, has been hit by a security gap that could have allowed malicious websites to observe anything typed by users.

The browser extensions allow the service to check text typed into web-based applications including Gmail, Facebook, Twitter and LinkedIn, as well as online publishing systems such as WordPress. The company also makes mobile apps for Android and iOS.

But Tavis Ormandy, a security researcher with Google, said he found a flaw in the way the browser extensions handle users’ authentication token. The bug meant any third-party website could pose as the user, logging in as them and observing the text they typed as it was checked by Grammarly.

“The Grammarly Chrome extension exposes its auth tokens to all websites, therefore any website can log into as you and access all your documents, history, logs, and all other data,” Ormandy wrote in an advisory – one that, ironically, contained a handful of errors in grammar and punctuation.

Token leak

“I’m calling this a high-severity bug, because it seems like a pretty severe violation of user expectations,” he wrote.

Ormandy estimated Grammarly’s Chrome extension alone has about 22 million users. As of May last year, when it completed a $110m (£78m) funding round, the company said it had about 6.9 million active users logging in each day.

Computer security firm Sophos said Grammarly’s extensions weren’t enforcing a policy that keeps authentication tokens private.

Such tokens make it possible for a user to remain logged into a service for a period of time, rather than having to constantly re-enter their username and password.

“The buggy extension could be tricked into handing your Grammarly authentication token over to JavaScript loaded from a third-party site,” Sophos said in a bulletin. “At that point… the offending JavaScript is automatically authorised by your browser to talk back to the server it came from, so it can call home with the stolen cookie, which then acts as a temporary ID badge giving access to your account.”

Anonymity under threat

Ormandy reported the issue to Grammarly at the end of last week and gave it 90 days before the bug’s details would be made public.

As it happened, Grammarly patched its extensions within a matter of hours, releasing new versions over the weekend. Ormandy then published the full details on the website of Google’s Project Zero security scheme.

Ormandy said he verified the fix on Chrome and Firefox.

Users will, however, be required to update their extension to the latest version to take advantage of the patch, unless their browser is set to auto-update its add-ons.

Browser extensions have been pinpointed as the source of major privacy leaks in the past.

One of the highest-profile cases occurred in 2016, when the Web of Trust add-on was found to be collecting the browsing habits of its more than 140 million users and selling the data to third parties in a form that could easily be linked back to particular individuals.

The problem was publicised by a German television probe, with investigators saying they used the data to identify the porn habits of a judge and the drug preferences of a German MP.

Following the incident Web of Trust temporarily withdrew the extension while it overhauled its privacy and anonymisation practices.

What do you know about the history of mobile messaging? Find out with our quiz!