Grammarly’s chrome extension bug puts user’s private data at risk

Google’s Project Zero team identified a security bug in Grammarly’s chrome extension which leaves user data exposed for exploitation. In a latest update on the bug, Grammarly has fixed a security bug on Monday.

Tavis Ormandy, a security researcher at Google’s Project Zero identified this bug. Project Zero is a security team at Google which works on identifying vulnerabilities.

Ormandy categorized this as high vulnerability bug and said, “I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations, because users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”

More than 22 million users across the world use Grammarly as a Extension or add-on to check the spelling and grammar online.

Ormandy has already filed a bug report on Friday which has a 90-day disclosure deadline. He has explained a POC code in his report which explains how the bug can be used to retrieve the authentication tokens to all websites the user has visited. Authentication tokens can be used by any websites to gain access to user’s documents, history and other data.

Grammarly thanked Tavis and Google Project Zero team in a tweet on Monday while releasing the fix on Chrome Web Store and Mozilla within few hours.

Latest Updates for Chrome and Mozilla:

Updates
Source: Chrome Web Store, Mozilla Official Website

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s