Grammarly, the grammar-checking service, had an enormous hole in its browser extension.

Tavis Ormandy discovered that any webpage could easily hijack your session and steal all the information in your Grammarly account. And that includes absolutely everything you've typed into the service.

It's a jarring reminder that most browser extensions can capture this sort of sensitive data. In this week’s Security Blogwatch, we wonder if we can trust any of them to take our privacy seriously when they build this stuff.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Falcon Heavy Launch as you’ve never heard it before …

What’s the craic, Zack Whittaker? Grammarly's flawed Chrome extension:

Grammarly has fixed a security bug … that inadvertently allowed access to a user's … private documents … history, logs, and other data.

…

More than 22 million users have installed the grammar-checking extension. … Grammarly issued an automatic update. … A spokesperson for Grammarly confirmed the bug is fixed.

And here’s Iain Thomson—Googler saves Grammarly:

Grammarly [is] grammar-checking software with online ads second only to Geico in terms of their ability to annoy.

…

The vulnerability [was] spotted on February 2 by Google Project Zero's Tavis Ormandy. … Poor coding in the extension allows … authentication tokens to be grabbed by four lines of code on … evil websites [which could] then access every document, note, or keystroke the app has recorded.

Let’s go to the horse’s mouth. Tavis Ormandy reports auth tokens are accessible to all websites:

I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations.

…

Here is how to repro, on any website. … Obviously a website could do this … without any user interaction:

…

Grammarly had fixed the issue and released an update to the Chrome Web Store within a few hours, a really impressive response time. … I've verified that Mozilla now also has the update.

Phew, amirite? Roland Moore-Colyer cracx thee obvyus gaga: [You’re fired—Ed.]

Serial flaw spotter Travis Ormandy … informed, it of the bug. Grammarly was well fast and promptly patched da bug.

…

Grammarly fix-ed the bug in the extenshion in the Chrome Web Store. … Grammarly is claimed that the bug wasn't exploited and all is well wit the spelchecker.



Neveraless, the bug was certainly an alarming one as Grammarly having 22 million users on its book. … It does rise the qeshtion of how much acces we gif bowser extensions.

Pretty flaky code, eh? Heed the rantage of CastrTroy:

This is basically a symptom of a problem that exists everywhere. Most people can learn how to program. … But it's an entirely other type of skill to program something that can't be broken by malicious actors.



Most people … don't ever have their code attacked or challenged until much later into their career. It's hard enough for most companies to find developers that will check user input … never mind checking for users who are actively trying to attack the system.

DrYak goes further, likening it to a keylogger:

I find it personally disturbing that people will let some shady 3rd party unknown server somewhere in Ukraine access (for "proof reading") every single thing they type.

…

You're better off using some technology that can be installed locally … e.g.: LanguageTool [is] Free/Libre OpenSource Software, so auditable against nefarious code.

And ocdtrekkie is compelled to agree:

Collecting everything you type into a web browser … and sending it to them seems like a really bad idea.

…

[But] cloud-connected keyloggers are mainstream. … Windows does it if you have their "inking and typing" setting enabled. A lot of mobile keyboard apps do it.

…

There are a LOT of things out there that collect everything you type these days, and rarely do people want to define them as keyloggers.

…

Grammarly's Microsoft Office plugin installs to the user folder (without requiring admin rights) as well. I've made a request to our antivirus vendor to add detection and blocking of Grammarly specifically.

…

Google offers ADMX templates for controlling Chrome which can be deployed through group policy. It includes an extension blacklist … an extension whitelist, and a list of "force-installed apps and extensions."

Will Grammarly even be legal in Europe soon? This Anonymous Coward suspects not:

If this were a physical lock, it would be like Schlage shipping high security mortise hardware without pins.

…

Even though the GDPR is mainly a knee-jerk anti-US law to give the EU judges more "credibility" by attacking foreign companies, it might be a good thing overall, should they actually bother to keep their own house clean and enforce it domestically. It would make the consequences for stupid stuff like this … severe enough that products don't ship unless they actually had some QA in security.

Still, props for fixing it quickly. Right, Sjoerder?

Nice to see a company take this kind of thing appropriately seriously (although of course it should never have happened in the first place).

But Nicole “@nicoleperlroth” Perlroth alleges the rabbit hole goes deeper, basically:

I'd been researching a vulnerability with Grammarly on Microsoft 365 that basically neuters any password protected files (lifts any passwords you use on password protected files).



The company has basically said it will not address.

But is it at least a useful service? 伊月 a/k/a @circuitwi7ch thinks not:

I loathe Grammarly. They tried to get everyone to use it at work. I found it to be more of a nuisance & an overpriced product that doesn't work half the time. [It] lacks contextual corrections of syntax.

Meanwhile, Krzysiek “@cyber_kris” Szczepanski invokes Mister Arthur Weasley:

Never trust anything that can think for itself if you can't see where it keeps its brain.

The moral of the story? If you offer a browser extension, be careful not to leak sensitive info. And if you’re an IT shop, consider restricting browser extensions by policy.

And finally …

The Falcon Heavy Launch as you’ve never heard it before





You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Correction: This article originally stated that the Grammarly leak included all data entered into the browser while the plug-in was installed. That was changed to reflect an error in reporting from one of the cited sources and now reads: "And that includes absolutely everything you've typed into the service." The headline was also changed for accuracy.

Keep learning