Grammarly is a popular app amongst bloggers and publisher all over the world. It is a widely used online spelling and grammar checker. We are sure most of the readers would be aware of this app, it has already recorded around 1,000,000 installs in Firefox, and more than 10,000,000 in Chrome.
We are sure you might not have missed out on the product pitch in the Firefox add-on store which says –
Grammarly will make sure your messages, documents, and social media posts are clear, mistake-free, and impactful. Adding Grammarly to Firefox means that your spelling and grammar will be vetted on Gmail, Facebook, Twitter, Linkedin, Tumblr, and nearly everywhere else you write on the web. Once you register your new account, you will start to receive weekly emails with personalized insights and performance stats (one of our most popular new features). Working on a large project, an essay, or a blog post? No sweat. You can create and store all of your documents in your new online editor.
Broadly speaking Grammarly is popularly used by many people and holds copies of what you have written. Hence it becomes crucial that such details don’t fall into wrong hands like scammers, hackers etc due to a security hole in the software.
Recently eminent Google bug-finder Tavis Ormandy noticed a vulnerability in Grammarly Chrome extension.
According to his study, he said – “The Grammarly Chrome extension […] exposes its auth tokens to all websites, therefore any website can log in to grammarly.com as you and access all your documents, history, logs, and all other data.”
Once you have successfully logged into a website, a one-time cryptographic string is set by a server as a browser cookie called authentication token.
This cookie or authentication token is sent back to the site with every subsequent web transaction, which gives the signal to the server that it’s you coming back for more.
This seems to be risky as without this sort of arrangement, you’d have to supply your username and password for every web request you wanted to make.
What happens in the background:
- The connection from your browser to the server uses HTTPS (secure HTTP) so that the authentication token is kept secret. This prevents eavesdroppers from sniffing your network traffic and stealing the secret token.
- As result of this, if your authentication token is leaked out to someone else, they can add it to their own web requests. As the server would treat them as if they were you. This will happen because the server would assume that the imposter must already have supplied your username and password.
Though the incident was reported by Tavis Ormandy Friday last week it had been hidden from public view for 90 days to give Grammarly the opportunity to fix the bug.
The bug has been successfully been fixed and will be publishing updated versions for both Chrome and Firefox.
Grammarly has already released the patches, the version numbers to look out for [at 2018-02-05T23:55Z] are 14.826.1446 for Chrome and 8.804.1449 for Firefox.
- Indian Railways Will Give Passengers Trains Status
- Best Android Apps From August To October
- Bit Torrent Introduces µTorrent Web