Google Chrome has found another vulnerability in a browser extension, and this time it was the grammar-checking extension, Grammarly.
The good news is that Grammarly quickly responded with a patch within hours and the issue stands resolved as of now.
Security Researcher Detects the Vulnerability
The vulnerability was detected on February 2, by a security researcher from Google’s Project Zero.
He quickly posted his findings and termed the vulnerability “high severity.” He alerted Grammarly of the issue.
The grammar-checking browser extension is used by over 22 million people around the world and failing to remove the security vulnerability would have had serious consequences for both Grammarly and Google Chrome.
Grammarly has quickly released an update patch, thereby limiting the damage caused.
On his part, the researcher has acknowledged the update and has confirmed that the threat no longer exists.
To establish the existence of the vulnerability, the Google Project Zero researcher has released the 4-line code written by him to create the authentication code.
A “High Severity” Vulnerability
The Chrome extension was found to be granting permission to access users’ data and classified documents.
Further, it was found that the vulnerability allowed such access in all websites that the user opened or visited. In technical language, it revealed authentication tokens in all websites.
And the browsing logs, history and additional details can be accessed by the website even after the user has left the page.
No wonder the researcher flagged the vulnerability as a risk of high severity. He has hastened to appreciate the prompt response by Grammarly in issuing the patch.
A Patched is Released Along with Statement
On Twitter, Grammarly acknowledged the existence of the vulnerability in its browser extension and released the update patch to get rid of the flaw.
They company has also followed up with a tweet explaining its position.
They claimed that at that time of its issuing the statement, no cases of data theft had been received at their end, indicating that the bug might have escaped the attention of unscrupulous elements in the cyber world who would have jumped at the opportunity to exploit the vulnerability.
Additionally, Grammarly confirmed that they’re continuing to monitor browser extension activity for any oddity or unusual episodes, and they intended to assure the users that they need not be perturbed by the detection of the vulnerability.
Grammarly has explained that though the vulnerability did exist, it did not affect the tool’s keyboard nor Microsoft Office add-in files.
The browser extension is now safe for use by customers, according to Grammarly.
Bugs Found in Other Chrome Extensions
The issues relating to bugs found in Chrome extensions are not just a one-off with the Grammarly vulnerability.
The same Google Project Zero security researcher, Tavis Ormandy, had exposed at least two other bugs linked to Google Chrome browser extensions. These included an execution defect in the Cisco WebEx extension and the more widely reported LastPass data vulnerability.
It is always safe to update your browser regularly. With Chrome, the difficulty is limited since the browser automatically installs the updates as new patches are released, leaving very little for you to remember or do.
But when such correction patches are released to fix major vulnerabilities, it is essential for you to stay alert and install the updates without any loss of time.
If you have not used Grammarly on your device, then the present issue is not so critical for you. But if you are one among the 22 million users of the grammar-checking tool, then the time to update your extension is now.