On Feb. 2, researchers at Google’s Project Zero published a report that indicated there was a serious flaw in a Chrome extension. The extension in question belongs to the company Grammarly, best known for its writing improvement services. About 22 million users have the extension installed.
The bug was classified as high severity by the author of the report, Tavis Ormandy, and it was due to the following reasons:
The Grammarly Chrome extension (approx ~22M users) exposes its auth tokens to all websites, therefore any website can log in to grammarly.com as you and access all your documents, history, logs, and all other data… Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.
While this was certainly alarming, Grammarly showed incredible initiative the very second that it found out about the exploit. As Ormandy later reported, within a few hours of the report going live, the exploit had been fixed. It was thought to have originated in the Grammarly Editor portion of the extension and was isolated to just that particular function. Based on analysis from security researchers at Grammarly, none of the 22 million users had any data compromised prior to the patch.
Google Project Zero has vowed “to monitor actively for any unusual activity,” but all signs point to the issue being handled. Any user of the Grammarly Chrome extension should still keep an eye out for strange occurrences just in case. One major point of this story that must be emphasized is the response time from the Grammarly team. I realize that a web browser extension is far less complex of a fix when compared to other exploitable technology, but the lightning-fast reaction that the team had likely saved millions from a data breach.
That, in and of itself, is commendable.
Photo credit: Google