TYPO TARGETING browser extension Grammarly was found harbouring a bug that could potentially expose everything a user ever wrote when using the spelling and grammar checker.
The bug was found by serial flaw spotter Travis Ormandy of Google's Project Zero security fame. The researcher found that the Chrome and Firefox extension was leaking authentication tokens meaning any website a user visited could access their "documents, history, logs, and all other data".
Essentially, this would mean all their scribing, blog posting, email, tweeting, moaning on INQUIRER articles and so on, could have been exposed to the wrong eyes providing a bit of simple scripting had been put in place.
"I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations," said Ormandy.
"Users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites."
The re-searcher promptly contacted them guys at Grammarly and informed, it of the bug. Grammarly was well fast and promptly patched da bug, in what Ormandy called "really impressive response time".
Grammarly fix-ed the bug in the extenshion in the Chrome Web Store and pushed out a patch for the Firefox version.
Such was the speedy response Grammarly is claimed that the bug wasn't exploited and all is well wit the spelchecker.
Neveraless, the bug was certainly an alarming one as Grammarly having 22 million users on its book, which if the bug hadn't been picked up by Ormandy, could have seen their writing sucked up and exposed by websites with malicious coders lurking up-on them.
Ifcourse, this did'nt happn but it does rise the qeshtion of how much acces we gif bowser extensions to our online acitivitieses and how nuch duue dillegeance is dun to ensure such add-inss r savfe an& bug-three. µ
Flagship will launch a day early to avoid being 'overshadowed' by Apple
EC says merged entity will 'continue to face significant competition'
Alexa, give me a reason to be cheerful about the UK economy
No, it isn't 1 April