On February 2, Tavis Ormandy, a researcher on Google’s Project Zero team discovered a critical flaw in the popular online grammar checking app, “Grammarly.” Tens of millions of users make regular use of the app to improve the quality of their writing. The bug allowed a hacker to steal a Grammarly user’s authentication token and use that token to log on and access every document they’ve run through the Grammarly system. This along with that user’s history, logs and other data. They were able to do it all using just four lines of JavaScript code.
The bug was found in both the Firefox and Chrome Grammarly extensions and was reported immediately.
While response time to such a report varies greatly, Grammarly set a new record for speed and efficiency. The bug was reported on a Friday, and by Monday, it was patched. If you use either the Chrome or the Firefox Grammarly extension, there’s nothing for you to do, as these should update automatically.
A spokesman for Grammarly had this to say about the matter:
“Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery. At this time, Grammarly has no evidence that any user information was compromised by this issue.
We’re continuing to monitor actively for any unusual activity. The security issue potentially affected text saved in the Grammarly Editor. This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension. The bug is fixed, and there is no action required by Grammarly users.”
Kudos to Tavis Ormandy for finding the bug, and a hearty round of applause to Grammarly for their speedy and deft handling of the issue. Given the severity of the bug, it’s easy to see how such a discovery could have gone an entirely different direction. As it turns out, Grammarly set a new bar for excellence with their handling of the issue.