Around 22 million people have installed the Grammarly extension for Chrome, which goes beyond a traditional spell checker to offer automated copyediting: analyzing your sentence structure and word usage, and correcting grammatical errors as well as typos. However, last week Google researcher Tavis Ormandy revealed that it had “a high severity bug”, which exposed the user’s auth token and threatened to let “any website … login to grammarly.com as you and access all your documents, history, logs, and all other data.”Ormandy described it as a “pretty severe violation of user expectations”.
Open access to a user’s auth token would mean that all his/her documents saved in Grammarly would be accessible; so if you dropped an email to your tax attorney into Grammarly or a confidential email to family, it was available for others to snatch. Text you typed into other websites was only briefly scanned by Grammarly, and was not in jeopardy as the bug only affected the Grammarly Editor.
Grammarly acted rapidly after it received the alert from Project Zero, releasing an update to the Chrome web store within a few hours, in what Ormandy described as a “a really impressive response time”. It also rolled out an update of the Mozilla browser extension, and users should have been auto-updated to the new versions. Ormandy said he was “calling this issue fixed”. The company told Gizmodo in an email that it “has no evidence that any user information was compromised” by the security hole, and added that it was “continuing to monitor actively for any unusual activity”.
However, it has unleashed a wave of bad press for the relatively new startup, and made people worried about the potentially “disastrous real-world consequences”, said Gizmodo, that could result from “giving any browser plugin the ability to access literally everything you type online… [which] could leave you totally fcuked.”
Slate journalist Jacob Brogan took it further by not only describing its sense of disquiet from Ormandy’s discovery, but complained that “nothing the company does could allay its true underlying problem: Its services just aren’t that good.” Brogan added, “the company’s ostensibly advanced tools are more likely to degrade our writing than improve it, if only because they don’t reflect the ways we really write.”