Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Chrome Firefox Privacy Security

A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online (gizmodo.com) 57

Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words. From a report: The Grammarly browser extension for Chrome and Firefox contained a "high severity bug" that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google's Project Zero. This meant that any website a Grammarly user visited could access the user's "documents, history, logs, and all other data," according to Ormandy. Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences. Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it "has no evidence that any user information was compromised" by the security hole. "We're continuing to monitor actively for any unusual activity," a Grammarly spokesperson said.
This discussion has been archived. No new comments can be posted.

A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online

Comments Filter:
  • by Anonymous Coward on Tuesday February 06, 2018 @11:56AM (#56077261)

    Based on the adverts I've seen for this service, it looks like it is first-and-foremost a browser-based keylogger anyway, with the copy editing features just being the hook to get people to install (and pay?) for the 'service'. The 'bug' is probably just that actors other than paying companies and intelligence agencies can get free access to the data.

    • by Anonymous Coward

      Ever notice that other stuff seems well programmed in general, but when it comes to security, stuff is "accidentally" configured to be leaky... stuff very basic to security that anyone would know? Everything from not sending passwords in plaintext to mismanaging authentication tokens, to having S3 buckets public. Basic stuff. If this were a physical lock, it would be like Schlage shipping high security mortise hardware without pins in the lock, or Abloy locks missing sidebars so a screwdriver can turn th

      • by CastrTroy ( 595695 ) on Tuesday February 06, 2018 @12:38PM (#56077511)

        This is basically a symptom of a problem that exists everywhere. Most people can learn how to program. In school they teach you how to program. But it's an entirely other type of skill to program something that can't be broken by malicious actors. Most people learn how to code in a very safe environment, and don't ever have their code attacked or challenged until much later into their career. It's hard enough for most companies to find developers that will check user input (does this number field actually contain a number), never mind checking for users who are actively trying to attack the system.

        It's kind of a problem that's only found in the computer industry. Cars don't stop people from crashing them if they are actively trying to crash them, or some other person is actively trying to run them off the road. They can put in a few basic features like seat belts and airbags to help the passengers, but if somebody actively wants to harm the people in the car, then there's a good chance they will be able to do it.

        • But it's an entirely other type of skill to program something that can't be broken by malicious actors.

          Early teacher: "Garbage in, garbage out."

          Real life need: "Whatever in, never-fucking-ever garbage out. Output must always be correctly formed, even if that means it's blank or otherwise useless."

    • Re: (Score:2, Funny)

      by Anonymous Coward

      But... but... those ads said if I write online I NEED it! Because apparently schools teach nothing and only a browser extension can let us write words good ish like.

    • Based on the adverts I've seen for this service, it looks like it is first-and-foremost a browser-based keylogger anyway, with the copy editing features just being the hook to get people to install (and pay?) for the 'service'. The 'bug' is probably just that actors other than paying companies and intelligence agencies can get free access to the data.

      Sounds like what Google themselves are offering in syncing with your phones. They also record and track everything you write on the internet, but it isn't spyware, it is a feature!

      • Based on the adverts I've seen for this service, it looks like it is first-and-foremost a browser-based keylogger anyway, with the copy editing features just being the hook to get people to install (and pay?) for the 'service'. The 'bug' is probably just that actors other than paying companies and intelligence agencies can get free access to the data.

        Sounds like what Google themselves are offering in syncing with your phones. They also record and track everything you write on the internet, but it isn't spyware, it is a feature!

        We trust all kinds of software with everything, or a reasonable approximation of everything, that we type. E.g. Office365, Google ...

    • Based on the adverts I've seen for this service, it looks like it is first-and-foremost a browser-based keylogger anyway, with the copy editing features just being the hook to get people to install (and pay?) for the 'service'.

      Yup, I find it personally disturbing that people will let some shady 3rd party unknown server somewhere in Ukraine access (for "proof reading") every single thing they type online.

      You're better off using some technology that can be installed locally (or on your own-controlled servers):

      e.g.: LanguageTool [languagetool.org]
      - it has a webextension [mozilla.org]
      - it can be downloaded [languagetool.org] as a stand-alone version.
      (- and of course, you can point the extension to the URL of your stand-alone server)

      (both of the above are Free/Libre OpenSource Softwar

  • by Anonymous Coward

    Firefox recently switched to the WebExtensions model for browser extensions, which is basically Firefox's imitation of Chrome's extension system.

    Firefox 57, which was released in the middle of November 2017, was hugely disruptive. It broke nearly all of Firefox's existing extensions, and worst of all, there are some existing extensions that couldn't even be reimplemented properly because WebExtensions is so crippled and limited.

    The crippling of Firefox's extension system, which rendered Firefox nearly usele

    • by Anonymous Coward

      How would this vulnerability have been prevented by a xul based extension that couldn't be done with a WebEx extension?

  • by Anonymous Coward

    From malware applications in operating systems to malware extensions in web browsers - we've come full circle. The browser is now the OS inside another OS.

    I'm eagerly awaiting full-blown antivirus programs for web browsers since we obviously can't trust the Walled Garden(r) to protect us.

  • Re: (Score:2, Informative)

    Comment removed based on user account deletion
  • by forkfail ( 228161 ) on Tuesday February 06, 2018 @12:31PM (#56077475)

    This is nothing.

    Just wait till Alexa throws her party.

    That'll be where the real fun is at.

  • I am just so relieved that this commercial browser extension that effects, by my rough count, approximately 1 out of every 500 people on earth (assuming Grammarly's user counts are accurate) and offers a feature that just about everybody has no use for at all has been fixed.
    • I am just so relieved that this commercial browser extension that effects, by my rough count, approximately 1 out of every 500 people on earth (assuming Grammarly's user counts are accurate) and offers a feature that just about everybody has no use for at all has been fixed.

      A browser extension used by 1/500 people on earth??? That's pretty awesome market penetration.

  • Why can a plug-in even reach all the authentication tokens? Shouldn't it be only able to reach its own data? Doesn't this seem like a bug more in Firefox than in Grammerly? It sounds like a sandbox violation.
    • The plugin is a proof-reading tool.
      It makes all the nice colored wavy line under your mistakes.

      It works in an TEXTAREA> <INPUT TYPE="text"> etc.

      This particular plug-in doesn't do the proof reading it self,
      it sends the text-to-be-corrected to some cloud server where the actual proof reading algorithms run.

      So for the plugin to work (and colored wavy line to appear), the plugin needs to send everything you type out of your computer.

      It's basically a giant keylogger - BY DESIGN.

      It's just that some attac

  • by Khashishi ( 775369 ) on Tuesday February 06, 2018 @12:46PM (#56077561) Journal

    Egads, foiled again!

  • "A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online"

    Good thing the only place I used it was writing Wikipedia articles then.

  • Isn't this why we take English lessons in school? I suppose it could be helpful for ESL folk, but it seems like such a niche service...
    • by Anonymous Coward

      And some of us are experts at programming who have studied the field for decades, yet compilers and static analysis tools are always finding errors in our code (and many still go unnoticed). I guess we don't need those analysis tools, either, we should just try harder and hope for the best?

  • t) *sound of shredder going into standby*

    t+1)

    the company told Gizmodo in an email that it "has no evidence that any user information was compromised"

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...