Update: This has been fixed by Grammarly as February 2018. It only affected Chrome version 14.826.1446.
According to the Chromium.org report, around 22 million users are affected:
“The Grammarly chrome extension (approx ~22M users) exposes it’s auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents and other data. I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations.
Users would not expect that visiting a website gives it permission to access documents from other websites.”
How serious is this?
While this is a very serious security flaw, Grammarly claims that there is no evidence that websites exploited this browser extension’s vulnerability to steal user’s data. This suggests that it’s likely that the vulnerability was found by Project Zero first, which means the developers at Grammarly had a chance to address the issue before anyone had the opportunity to take advantage of the vulnerability. If it would have been discovered by criminals first, the outcome could have been much worse.
What can I do about it?
Grammarly acted quickly to issue an update for the extension to fix the security hole, so please make sure you are running the latest version. Google Chrome typically does this in the background. If you have the Grammarly browser extension installed, the updated version has been pushed out to all of the extensions, so no further action is required..
If you have any other cyber security or technology related questions, feel free to contact SandStorm IT at 901-475-0275. We’re always more than happy to help you stay safe on the internet!