Grammarly, a copyediting extension for Chrome and Firefox that points out typos and grammatical mistakes, had a major bug that allowed any website you visit to log into your account and read everything you ever wrote. It made all your documents, history, logs, tweets and blog posts vulnerable to high-tech snoops. Google’s Project Zero, which unearths and tracks vulnerabilities and reports them to software-makers, revealed the bug on February 2nd. Thankfully, the Grammarly team has quickly patched it up and has already auto-updated the extension used by over 20 million users.
Project Zero researcher Travis Ormandy called the vulnerability a “high-severity bug” since it severely violates users’ expectations of privacy and security. Grammarly told Gizmodo that it managed to issue a patch before it caused problems — Ormandy said the company rolled out a fix within hours of his report — and that there’s no evidence that anybody’s information was compromised. It’s keeping an eye out for any suspicious activity, though… as it should, because the vulnerability had the potential to expose more than just your typos.
Source: Travis Ormandy (Twitter), (2)
