The developers of Grammarly, a popular app that can help users identify grammar, spelling, and punctuation mistakes in writing, were quick to fix a nasty vulnerability over the weekend that could have exposed users data.
Until it was fixed, Grammarly's Chrome extension was spilling authentication tokens to any website a user visited and entered data into. As a result any site could have logged into the service as a victim and accessed sensitive documents, history, logs, and other data.
The app is immensely popular; its Chrome extension has been downloaded over 10 million times. As of last fall it boasted roughly 6.9 million daily active users.
Tavis Ormandy, a researcher with Google's Project Zero team, discovered the issue last week. Grammarly managed to roll out a fix for the problem in a few hours on Friday, “a really impressive response time,” according to a bug ticket filed by Ormandy to Project Zero’s issue tracker.
We were made aware of a security issue with our extension on Friday and worked with Google to roll out a fix within a few hours.
Thank you to @taviso and the team for finding and educating the community about the complexities of this bug. We will provide more updates soon.
— Grammarly (@Grammarly) February 5, 2018
Ormandy, a prolific bug hunter, uncovered last year's "Cloudbleed" issue upon discovering that Cloudflare had been leaking customer data, private messages, and encryption keys. He also identified a series of bugs in the LastPass password manager that could have let an attacker steal passwords.
“I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” Ormandy wrote of the Grammarly issue Friday. “Users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites.”
The researcher elected to disclose the vulnerability, along with details on how to reproduce it, after the fix found its way into Firefox's Grammarly add-on on Monday.
Vulnerability in Grammarly extension fixed (20M users), users should be auto-updated to a fixed version. Auth tokens were accessible to websites, allowing any website to login to your account and read all your docs. https://t.co/Ydk0JwArYD
— Tavis Ormandy (@taviso) February 5, 2018
When reached late Monday a spokesperson for Grammarly told Data Insider the issue only affected text users may have saved with Grammarly's online editor tool.
"Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery. At this time, Grammarly has no evidence that any user information was compromised by this issue. We’re continuing to monitor actively for any unusual activity. The security issue potentially affected text saved in the Grammarly Editor. This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension. The bug is fixed, and there is no action required by Grammarly users."
It'd be relatively easy for an attacker to stage a session hijacking attack and gain access to a user's account, regardless of the service, if they could intercept a user's tokens.
PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with PayPal OAuth applications in 2016. Slack fixed a similar issue last year that could have let anyone log into an account as if they were the legitimate user. Naturally, from there, an attacker could have chat histories, files, and any other bits of data at his or her disposal. Like Grammarly, Slack was speedy with a fix; it patched the issue in just five hours - and on a Friday at that.