Story image

'No evidence' to suggest user info was compromised by Grammarly flaw

07 Feb 2018

Millions of Grammarly users were affected by a vulnerability that could have exposed their accounts and documents to the world – although the company says it is yet to see evidence that anything has been leaked.

Grammarly’s Firefox and Google Chrome browser plugins were both affected by the vulnerability, which was discovered by a Google Project Zero researcher.

While the bug has now been fixed through automatic updates, Firefox and Chrome users should check that their plugins have been updated to version 14.826.1446 for Google Chrome; and version 8.804.1449 for Firefox.

Grammarly provides free language-checking services for anyone who wishes to use them

In the bug report, the researcher explained the situation and demonstrated how it works.

“The Grammarly chrome extension (approx ~22M users) exposes it's [sic] auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data. I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” he explains.
 
“Users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites.”
 
According to Grammarly’s official Twitter page, the company was made aware of the siguation last Friday and promptly worked with Google to deploy a fix.
 
“At this time, Grammarly has no evidence that any user information was compromised by this issue. The bug potentially affected text saved in the Grammarly Editor,” a tweet from the company says.
 
“This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the browser extension. The bug is fixed, and there is no action required by our users. “
 
The researcher who discovered the bug says he was impressed with how Grammarly and Google handled the bug.
 

"Grammarly had fixed the issue and released an update to the Chrome Web Store within a few hours, a really impressive response time," he comments.
 
"I've verified that Mozilla now also has the update, so users should be auto-updated to the fixed version. I'm calling this issue fixed,” he concludes.
 
According to a September 2017 release, Grammarly revealed it had more than 6.9 million daily active users. Its free Chrome extension had been downloaded 10 million times.
 
Launched in 2008, Grammarly is a self-funded company that used its revenue from universities to expand into the enterprise and consumer markets.
 
“We’re continuing to monitor actively for any unusual activity,” Grammarly concludes.

50 million tonnes of e-waste: IT faces sustainability challenges
“Through This is IT, we want to help people better understand the problem of today’s linear “take, make, dispose” thinking around IT products and its effects like e-waste, pollution and climate change."
Vocus & Vodafone unbundle NZ's fibre network
“Unbundling fibre will provide retail service providers with a flexible future-proofed platform regardless of what tomorrow brings."
NZ Cricket ups data analytics game with Qrious
The Black Caps and White Ferns have implemented a data and analytics solution from Qrious to monitor and improve game strategy and player performance.
Gartner: Smartphone biometrics coming to the workplace
Gartner predicts increased adoption of mobile-centric biometric authentication and SaaS-delivered IAM.
Samsung & Trade Me offer AI-powered shopping
The smartphone camera & AI-powered tech, Trade Me says, is a ‘glimpse into the future of shopping’.
Neill Blomkamp's 'Conviction' is a prequel to BioWare's Anthem
You may remember Neill Blomkamp’s name from such films as District 9, Chappie, and Elysium. If you’ve seen any of those films, the short teaser trailer will seem somewhat familiar to you.
Security flaw in Xiaomi electric scooters could have deadly consequences
An attacker could target a rider, and then cause the scooter to suddenly brake or accelerate.
617 million stolen records up for sale on dark web
It may not be the first time the databases have been offered for sale.