Have you watched a YouTube video lately in a country where English is widely used?
If so, we’re willing to bet that you’ve seen an advert for Grammarly, an online spelling and grammar checker.
In fact, we’ll suggest you’ve seen the Grammarly ad many times, perhaps even very many times – we certainly have.
The ads seem to be working, with the product currently closing in on 1,000,000 installs in Firefox, and already claiming more than 10,000,000 in Chrome.
As the product pitch in the Firefox add-on store explains:
Once you register your new account, you will start to receive weekly emails with personalized insights and performance stats (one of our most popular new features). Working on a large project, an essay, or a blog post? No sweat. You can create and store all of your documents in your new online editor.
In other words, your Grammarly account ends up knowing a lot about you, and holding copies of a lot of what you’ve written.
A security hole in Grammarly could therefore tell crooks much more about you than you’d like them to know.
So, when prodigious Google bug-finder Tavis Ormandy turned his eagle eyes on Grammarly’s Chrome extension recently, he was surprised at what he found:
The Grammarly chrome extension […] exposes it’s auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data.
(Yes, Tavis made the very mildly embarrassing mistake of writing it’s for its, but unsurprisingly he didn’t have Grammarly turned on to help him.)
An authentication token is a one-time cryptographic string that is set by a server as a browser cookie after you’ve successfully logged into a website.
Your browser sends that cookie back to the site with every subsequent web transaction, thus signalling to the server that it’s you coming back for more.
Without this sort of arrangement, you’d have to supply your username and password for every web request you wanted to make.
What’s supposed to happen is that:
- The connection from your browser to the server uses HTTPS (secure HTTP) so that the authentication token is kept secret. This prevents eavesdroppers from sniffing your network traffic and stealing the secret token.
- Your browser enforces what’s known as the same-origin policy, whereby cookies set by website X are only ever returned to site X. This prevents JavaScript on third-party sites from accessing other sites’ secret tokens and stealing them.
If your authentication cookie leaked out to someone else, they could add it into their own web requests and the server would treat them as if they were you, because the server would assume that the imposter must already have supplied your username and password.
The Grammarly bug
Unfortunately – or perhaps fortunately, given that no one else seems to have found this before him – Ormandy realised that the Grammarly extension didn’t enforce the same-origin policy properly.
The buggy extension could be tricked into handing your Grammarly authentication token over to JavaScript loaded from a third-party site.
At that point, of course, your security is broken: the offending JavaScript is automatically authorised by your browser to talk back to the server it came from, so it can call home with the stolen cookie, which then acts as a temporary ID badge giving access to your account.
Ormandy reported the bug to Grammarly on Friday last week, but with the details hidden from public view for 90 days to give Grammarly a chance to fix the hole…
…which the company did over the weekend, publishing updated versions for both Chrome and Firefox.
That’s why the story of this bug has already been published, with the often-critical Ormandy saying:
Grammarly had fixed the issue and released an update to the Chrome Web Store within a few hours, a really impressive response time.
I’ve verified that Mozilla now also has the update, so users should be auto-updated to the fixed version. I’m calling this issue fixed.
If you’re a Grammarly user and you want to make sure you’ve received the patch already, the version numbers to look out for [at 2018-02-05T23:55Z] are: 14.826.1446 for Chrome and 8.804.1449 for Firefox.
Even bad bugs like this one, when dealt with rapidly and responsibly, can turn into good stories.
Update. Grammarly contacted after we published this article to say, “This bug was limited to the documents in the Grammarly Editor and did not affect any text typed while using the other products. Specifically, this bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension.” [Added 2018-02-09T14:15Z]
MossyRock
For the sake of fun, there is another grammatical error:
“… therefore any website can login to grammarly.com …”
It should be:
“… therefore any website can log in to grammarly.com …”
You log in with your login.
This is a very common mistake today, just like the usage of “setup” instead of “set up”
You run the setup routine to set up the program.
Paul Ducklin
I prefer the look of “log in” and would like to think I’d usually write two words. But I accept “login” as a verb in its own right these days and consider it unexceptionable.
The word has been extended way beyond just “keeping a log” (because it has to do with digital authentication rather than simply signing a log in the entrance lobby of a building) that it is entitled to status as a verb of one word. So I’ll let Tavis have that one.
roleary
Random House Dictionary lists login as a verb. It then defines it as meaning “to log in”
Paul Ducklin
Neat! (My Oxfords, English and American, don’t admit of login as a verb, only as a noun, with logon as an equivalent alternative.)
Kieron Robertson
Even bad bugs like this one, when dealt with rapidly and repsonsibly, can turn into good stories.
On purpose?
Paul Ducklin
We wrote the story in purpose. Ormandy found the bug on purpose. His job is to look for bugs. In this case the bug was reported responsibly and fixed quickly…not sure if you mean to imply that “on purpose” is a bad thing or a good thing or not.
Steve
I suspect, given his quoting of your last line, that Kieron was asking whether your misspelling (“repsonsibly”) was on purpose.
Paul Ducklin
Aaaargh. OK, I am on-script now. (At least I was consistent: I made the typo and then failed to spot the same typo purposesfully put into Kieron’s comment.)
Fixing it now.