If you were really bored one day, and took it upon yourself to list every piece of software, ordered by how much hackers could ruin your life with the data contained within, Grammarly would probably come quite far down the list, somewhere between the calculator and Microsoft Paint. And yet a zero-day exploit uncovered by Google’s Project Zero could potentially have done quite a bit of damage on the clever web-based spell checker.
Could have, because Grammarly was quicker to close the loophole that it would have been telling you to use “whom” instead of “who,” fixing things in “just a few hours”. Tavis Ormandy, a security researcher at Project Zero called it a “really impressive response time.”
Rather than reaping havoc with your use of the Oxford comma, or wantonly splitting your infinitives, the Grammarly vulnerability was quite a bit more serious. It was leaking authentication tokens, meaning that any website you visited in a browser with the Grammarly plug-in installed could access your “documents, history, logs, and all other data.”
Given that Grammarly is designed to read every email, blog post, tweet, feedback form and comment you put in a text box in your browser, that has the potential to be pretty harmful to Grammarly’s 22 million users, though Grammarly claims that it would only have affected text saved in the Grammarly Editor.
An automatic update has already been rolled out to the Firefox and Chrome stores, seemingly killing the problem before it was exploited. “The bug is fixed, and there is no action required by Grammarly users,” a company spokesperson told Gizmodo, adding that it had “no evidence that any user information was compromised.”
No evidence something happened is not the same as guaranteeing it didn’t happen of course, so it’s worth keeping an eye out for suspicious activity if you rely on Grammarly to fix your broken prose.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
