Bug in Grammarly browser extension exposes what a user ever writes

The Grammarly browser extension, which has about 22 million users, exposed its authentication tokens to all websites, allowing any to access some of the user’s data without permission, according to a bug report from Google Project Zero’s Tavis Ormandy.

The high-severity bug was discovered on Friday and fixed early Monday morning, “a really impressive response time,” Ormandy wrote.

Grammarly, launched in 2009 by Ukrainian developers, looks at all messages, documents and social media posts and attempts to clean up errors so the user is left with the clearest English possible. The browser extension has access to virtually everything a user types, and therefore an attacker could access a huge trove of private data.

Exploitation is as simple as a couple of console commands granting full access to everything, as Ormandy explained. The company has no evidence that the vulnerability was exploited. The bug affected text entered in the Grammarly Editor but it did not affect text typed on websites while using the Grammarly browser extension.

The vulnerability affected Chrome and Firefox. Updates are now available for both browsers.

Grammarly spokesperson Michael Mager issued the following statement after the fixes went live: “Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery…The security issue potentially affected text saved in the Grammarly Editor. This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension. The bug is fixed, and there is no action required by Grammarly users.”

Update: The article previously stated the bug allowed access to “all the user’s data.” In fact, the bug allows access only to text entered in the Grammarly Editor. The headline and article have been updated.