Personal writings and more at risk due to Grammarly vulnerability

A researcher at Google recently found a critical vulnerability within spellchecking browser extension Grammarly, which could allow an attacker full access to your writings and account details. The extension has an average of 22 million users, meaning a fix is of utmost importance; Thankfully, this was quickly realized by the extension’s creators and a patch was issued within days. However, it doesn’t mean the vulnerability was never used. Therefore if you were, or are, using the extension make sure it has been updated.

Severe vulnerability found – but quickly fixed

A critical vulnerability was recently discovered in the Firefox and Chrome extension Grammarly – An extension used for checking spelling and grammar live.  7 million people use it daily and 22 million users are recorded in total. Due to a spell checker being so commonplace it might be easy to forget it actually reads all the data you write. Therefore it’s important it  and any data it has remains secure.

The vulnerability was discovered by Tavis Ormandy of Google’s Project Zero. By hiding malicious Javascript within a webpage the browser could be tricked into giving up the user’s authentication token. With the script only being four lines of code, it would hardly be noticeable. Once in possession of the token an attacker would be able to access your Grammarly account, online editor and all “documents, history, logs, and all other data” without any issues.

From the flaw was discovered by Ormandy to the time a fix had been issued was only 3 days, an impressively short time and much needed due to the severity of the vulnerability. Both Firefox and Chrome have issued patches which will be delivered as automatic updates. Grammarly also formally issued information on the patch release on twitter.

Other vulnerabilities – Including Adobe Flash

Due to a critical vulnerability found within Adobe Flash, the Swedish government agency MSB recently urged users of the extension to uninstall it. Information about this vulnerability will soon be issued on CYPRO’s Linkedin—Keep an eye out!

Are you curious about other browser vulnerabilities? CYPRO have previously written about Meltdown & Spectre, the pair of vulnerabilities which allow an attacker to read sensitive data on your system through browser code.