Google’s Project Zero team identified a security bug in Grammarly’s chrome extension which leaves user data exposed for exploitation. In a latest update on the bug, Grammarly has fixed a security bug on Monday.
Tavis Ormandy, a security researcher at Google’s Project Zero identified this bug. Project Zero is a security team at Google which works on identifying vulnerabilities.
Ormandy categorized this as high vulnerability bug and said, “I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations, because users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”
More than 22 million users across the world use Grammarly as a Extension or add-on to check the spelling and grammar online.
Ormandy has already filed a bug report on Friday which has a 90-day disclosure deadline. He has explained a POC code in his report which explains how the bug can be used to retrieve the authentication tokens to all websites the user has visited. Authentication tokens can be used by any websites to gain access to user’s documents, history and other data.
Grammarly thanked Tavis and Google Project Zero team in a tweet on Monday while releasing the fix on Chrome Web Store and Mozilla within few hours.
Latest Updates for Chrome and Mozilla: