Critical Grammarly vulnerability allows stealing user’s information

by Olivia Morelli - -

“Severity bug” in Grammarly browser extensions put user’s privacy at risk

Critical Grammarly vulnerability allows stealing user’s information

Millions of Grammarly[1] spelling, grammar, and language checker's users who installed Chrome or Firefox extensions might be in danger. “Severity bug” in the grammar-checking app was detected which allows stealing authentication tokens to websites. It means that attackers can get access to all the data users uploaded to the app.

Google’s Project Zero researcher Tavis Ormandy[2] discovered a flaw in Google Chrome extension that has about 22 million users. The further investigation revealed that the same issue exists in Firefox version of the add-on.

According to some sources, Grammarly Firefox extension was installed about 1,000,000 times. Meanwhile, Chrome extension is said to have more than 10,000,000 installs.[3] Therefore, if you are using this language checking app, it’s better to make sure that you are using the latest version. Developers already provided vulnerability patches.[4]

It only takes four lines of code to compromise user’s information

The authentication itself is a cryptographic string which is set by a server and operates as a browser cookie which is set as soon as you log in to the website. Then the browser sends back information to the server informing that it’s you who continues browsing and using the site. For this reason, you don’t need to log in every time you click particular buttons or visit new pages on the same website.

However, the flaw in Grammarly allows attackers to steal user’s tokens and access websites pretending to be you. In order to do so, attackers only need to use four lines of code either manually or by using a script.

This code generates a token that matches Grammarly cookie. As soon as a user logs in to his or her account via grammarly.com, authentication token can be stolen and used by third-parties. As a result, attackers trick server that it’s you who is using the site and get access to your information:

[A]ny website can login to grammarly.com as you and access all your documents, history, logs, and all other data. I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations.

Keep in mind that the program not only collects various information about you (we hope, you read their Privacy Policy[5]), but might save copies of your checked articles, documents, letters and other texts, and here you may have included some interesting or sensitive information for the attackers.

22 millions of Grammarly users are warned to update the extension

Grammarly was informed about an issue and quickly presented an update in Chrome Web store. Hence, users have to make sure that they are using an up-to-date version of the Grammarly Chrome extension (14.826.1446 or newer).

Developers of Mozilla Firefox also patched this security vulnerability. Nevertheless, users should receive an automatic update; it’s still recommended to check if they are using 8.804.1449 version (or newer) version of add-on to avoid possible data leak.

Prevent websites, ISP, and other parties from tracking you

Private Internet Access is a VPN that can prevent your Internet Service Provider, the government, and third-parties from tracking your online and allow you to stay completely anonymous. The software provides dedicated servers for torrenting and streaming, ensuring optimal performance and not slowing you down. You can also bypass geo-restrictions and view such services as Netflix, BBC, Disney+, and other popular streaming services without limitations, regardless of where you are.

A VPN is also crucial when it comes to user privacy. Online trackers such as cookies can not only be used by social media platforms and other websites but also your Internet Service Provider and the government. Even if you apply the most secure settings via your web browser, you can still be tracked via apps that you are connected to the internet. Besides, privacy-focused browsers like Tor is are not an optimal choice due to diminished connection speed.

Therefore, to stay completely anonymous and prevent the ISP and the government from spying on you, you should employ Private Internet Access VPN. It will allow you to connect to the internet while being completely anonymous, prevent trackers, ads, as well as malicious content. Most importantly, you will prevent the illegal surveillance activities that NSA and other governmental institutions are performing behind your back.

 

Recover your lost files quickly

Unforeseen circumstances can happen at any time while using the computer: it can turn off due to a power cut, a Blue Screen of Death (BSoD) can occur, or random Windows updates can decide to reboot the machine when you went away for a few minutes. As a result, your schoolwork, important documents, and other data might be lost.

Additionally, you might also be attacked by malware that can corrupt your Windows or encrypt files with a robust encryption algorithm, and ask for a ransom in Bitcoin for the decryption tool. Cybercriminals might not deliver what they promised, however, so it is better to attempt alternative file recovery methods that could help you to retrieve at least some portion of the lost data.

Data recovery software is one of the options that could help you recover your files. Once you delete a file, it does not vanish into thin air – it remains on your system as long as no new data is written on top of it. Data Recovery Pro is recovery software that searchers for working copies of deleted files within your hard drive. By using the tool, you can prevent loss of valuable documents, school work, personal pictures, and other crucial files.

About the author
Olivia Morelli
Olivia Morelli - PC & Mac repair expert

Olivia Morelli is a young, but a perspicacious IT expert who is currently just a year away from a Bachelor’s Degree in Software Systems. Her primary passion is cyber security, however, thanks to her detailed understanding of computer networks, operating systems and hardware, she can find a fix for any PC or Mac issue...

Contact Olivia Morelli
About the company Esolutions

References


Your opinion regarding Critical Grammarly vulnerability allows stealing user’s information