Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday February 08 2018, @08:14AM   Printer-friendly
from the more-gooder-coding dept.

Grammarly has fixed a security bug in its Chrome extension that inadvertently allowed access to a user's account -- including their private documents and data.

Tavis Ormandy, a security researcher at Google's Project Zero who found the "high severity" vulnerability, said the browser extension exposed authentication tokens to all websites.

That means any website can access a user's documents, history, logs, and other data, the bug report said.

"I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations," said Ormandy, because "users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites."

In proof-of-concept code, he explained how to trigger the bug in four lines of code.

More than 22 million users have installed the grammar-checking extension.

[...] In a statement, a spokesperson for Grammarly confirmed the bug is fixed.

"At this time, Grammarly has no evidence that any user information was compromised by this issue. We're continuing to monitor actively for any unusual activity," the spokesperson said.

Story at ZDNet


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by takyon on Thursday February 08 2018, @08:16AM

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Thursday February 08 2018, @08:16AM (#634781) Journal

    This seems like the kind of company Google or Microsoft would buy for a billion dollars to integrate into their word processing software.

    Google is just protecting its investment. Or giving them some bad press.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
  • (Score: 2) by FatPhil on Thursday February 08 2018, @05:05PM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday February 08 2018, @05:05PM (#635022) Homepage
    https://bugs.chromium.org/p/project-zero/issues/detail?id=1527#c3
    "Grammarly had fixed the issue and released an update to the Chrome Web Store within a few hours, a really impressive response time."

    Nice to see a software supplier taking such issues seriously, and also to see the respectful and professional way Tavis handled the situation too - no name calling, no shit flinging, no "EP1C F4LE" - he's a pro, I wish he was auditing my code!
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(1)