Back to Blog

Critical Flaw in Grammarly Spell Checker Could Let Attackers Steal Your Data

February 6, 2018

By: mirabiliscorp

Capturar

by Swati Khandelwal

February 05, 2018

A critical vulnerability discovered in the Chrome and Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 million users’ accounts, including their personal documents and records, vulnerable to remote hackers.

According to Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability on February 2, the Chrome and Firefox extension of Grammarly exposed authentication tokens to all websites that could be grabbed by remote attackers with just 4 lines of JavaScript code.

In other words, any website a Grammarly user visits could steal his/her authentication tokens, which is enough to login into the user’s account and access every “documents, history, logs, and all other data” without permission.

“I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” Ormandy said in a vulnerability report. “Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”

Ormandy has also provided a proof-of-concept (PoC) exploit, which explains how one can easily trigger this serious bug to steal Grammarly user’s access token with just four lines of code.

Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

contact@sikur.com

Follow us

Try SIKUR





Contact Us
First Name*
Last Name*
E-mail*
Mobile Number*
Company*
Country*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
Comments
I agree to the Privacy Policy and Terms of Service.