Grammarly is a free browser extension that actively alerts you to spelling and grammar mistakes you make while typing. While the tool is certainly useful, if you're a regular Grammarly user, your writing history may have been compromised recently due to a major software bug.
The bug in question exposed Grammarly's authorization tokens to "all websites," allowing them to login to a user's Grammarly.com account to view their full writing history.
Fortunately, Google Project Zero has come to the rescue once again. The vulnerability-finding group recently discovered and disclosed the bug to Grammarly, offering the company their standard 90-day grace period before going public with their findings.
Vulnerability in Grammarly extension fixed (20M users), users should be auto-updated to a fixed version. Auth tokens were accessible to websites, allowing any website to login to your account and read all your docs. https://t.co/Ydk0JwArYD— Tavis Ormandy (@taviso) February 5, 2018
However, that 90-day period was quickly proven unnecessary, as a confirmed fix for the bug was rolled out in a matter of hours - an "impressive" response time, according to Project Zero member Tavis Ormandy.
The vulnerability-finding group has been on a bit of a hot streak lately with this news coming not long after they discovered major CPU vulnerabilities Spectre and Meltdown, disclosing them to CPU manufacturers. Though more major security bugs such as these are likely still out in the wild, it's nice to see some groups actively working to mitigate their impact.