According to the Chromium.org report, around 22 million users are affected:
“The Grammarly chrome extension (approx ~22M users) exposes it’s auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents and other data. I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations.
Users would not expect that visiting a website gives it permission to access documents from other websites.”
How serious is this?
While this is a very serious security flaw, Grammarly claims that there is no evidence that websites exploited this browser extension’s vulnerability to steal user’s data. This suggests that it’s likely that the vulnerability was found by Project Zero first, which means the developers at Grammarly had a chance to address the issue before anyone had the opportunity to take advantage of the vulnerability. If it would have been discovered by criminals first, the outcome could have been much worse.
What can I do about it?
Grammarly acted quickly to issue an update for the extension to fix the security hole, so please make sure you are running the latest version, which is 14.917.2331, from July 3rd, 2019. Google Chrome typically does this in the background. If you have the Grammarly browser extension installed, you can verify by using the Settings menu in Chrome, then go to More tools > Extensions. You can then click on “More Details” to view information, which displays a screen like the one below. You should see the version number.
If you have any other cyber security or technology related questions, feel free to contact SandStorm IT at 901-475-0275. We’re always more than happy to help you stay safe on the internet!