Grammarly Patches Chrome Extension Bug That Exposed Users’ Docs


Grammarly has fixed a bug with its Chrome browser extension that exposed its authorization tokens to websites, allowing sites to assume the identity of a user and view their account’s documents. “I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” said Tavis Ormandy, a researcher at Google’s Project Zero, in a Feb. 2 forum post. “Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”

More information here.