A significant vulnerability has been identified in the Chrome and Firefox extensions of Grammarly, a widely utilized grammar-checking service. This flaw potentially exposed the accounts and personal documents of approximately 22 million users to remote hacking threats.

Discovered by Tavis Ormandy from Google’s Project Zero on February 2, the vulnerability arose from the extension’s mishandling of authentication tokens. These tokens could be intercepted by malicious actors visiting various websites, merely requiring four lines of JavaScript code to do so.

Essentially, any site that a Grammarly user navigates to may have the capacity to extract authentication tokens, granting unauthorized access to their accounts and all associated data, including documents, history, and logs.

Ormandy characterized the vulnerability as a high severity issue, highlighting the significant breach of user trust it represents. He stated, “Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites,” in his vulnerability report.

To demonstrate the threat, Ormandy provided a proof-of-concept exploit, elucidating how easily an attacker could trigger the defect to extract a user’s access token.

The Grammarly team responded swiftly to the discovery, fixing the flaw within 48 hours. This prompt action has been noted as a commendable response time for such a serious issue.

Currently, security updates for both the Chrome and Firefox extensions have been rolled out, with most users set to receive these updates automatically without having to take further action.

A representative from Grammarly has indicated that there is no evidence to suggest that any user accounts have been compromised as a result of this vulnerability. The spokesperson confirmed, “Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery,” and assured that the company is actively monitoring for any unusual activity.

The affected vulnerability could primarily influence data saved within the Grammarly Editor. It is essential to note that this flaw did not impact the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text input while using the Grammarly browser extension.

As the situation develops, users are encouraged to remain vigilant and monitor their accounts for any unusual activity. Further updates will be provided to keep the community informed of any changes related to this incident.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Source link