No, “everything” isn’t a typo.
Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words.
The Grammarly browser extension for Chrome and Firefox contained a “high severity bug” that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google’s Project Zero. This meant that any website a Grammarly user visited could access the user’s “documents, history, logs, and all other data,” according to Ormandy.
Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails for your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences.
Grammarly has approximately 22 million users, according to Ormandy, and it’s unclear whether anyone took advantage of this glaring security hole to steal users’ private writings or correspondence. Grammarly did not immediately respond to our request for comment.
The good news is, Grammarly quickly fixed the bug in the Chrome Web Store in what Ormandy called a “really impressive response time”. Ormandy says Mozilla confirmed the Firefox version of the extension also rolled out to users, and the update should have been automatic.
Still, let this be a reminder that giving any browser plugin the ability to access literally everything you type online could leave you totally srcewed.