Popular copyediting browser extension Grammarly has issued a quick fix for a “high severity” bug that could have allowed websites to access Grammarly users’ “documents, history, logs, and all other data.”
The bug, which was leaking authentication tokens, was identified by Google Zero researcher Tavis Ormandy. As Ormandy noted, “Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”
Grammarly is a free extension which copyedits user typing on the fly, correcting not just spelling, but more complex grammatical errors. The bug report claims the Chrome extension has about 22 million users.
Quick To Fix
Grammarly quickly reacted to fix the issue in both its Chrome and Firefox extensions, and the company told Gizmodo that “it has no evidence that any user information was compromised.” The bug report was filed on Friday, and the fix was issued on Monday.
While this appears to have only been a close call — though we can’t be completely sure, and Grammarly is said to be monitoring for any “unusual activity” moving forward — this isn’t always the case with extensions and apps that use keyboard access.
Not Our Type
Last December, the keyboard app AI.type suffered a leak that exposed the personal information of more than 31 million users. Data exposed included “phone numbers, full names, device name and model, SMS numbers, unique IMEI numbers for each device, email address, links to social media profiles, and precise location details.” The leak was believed to only affect Android users of the AI.type keyboard — iOS users were spared.
While you may trust some companies more than others — and Grammarly appears to have done a great job in closing up its leak — we still have questions about downloading any app or extension that gives a company full access to what you’re typing. Are the potential security risks worth the added convenience to you?