Google Project Zero security team has uncovered a bug in the popular Grammarly Chrome extension that exposed authentication tokens to all websites the users may have visited.
The project zero team called this vulnerability a “high severity bug” because it would allow any website access to all your documents, history, logs, and all other data used by the the Grammarly Chrome extension. Ormandy noted the bug is quite severe because users wouldn’t expect that visiting a website would give it permission to access data you’ve typed into another website.
The Grammarly bug was subject to a 90-day disclosure policy, but Grammarly was able to fix the bug much sooner than that, once disclosed to the company. Perto Grammarly, once the bug was disclosed on Friday, and through collaboration with the Google team of security researchers, the company was able to fix it within a few hours.
