
Grammarly shared its tokens with all websites - ksajadi
https://bugs.chromium.org/p/project-zero/issues/detail?id=1527&desc=2
======
shervinafshar
Last year I signed up for a paid subscription to Grammarly...then I read terms
of use[1]. I know...it should have been the other way around, but here it
goes:

> "By uploading or entering any User Content, you give Grammarly (and those it
> works with) a nonexclusive, worldwide, royalty-free and fully-paid,
> transferable and sublicensable, perpetual, and irrevocable license to copy,
> store and use your User Content in connection with the provision of the
> Software and the Services and to improve the algorithms underlying the
> Software and the Services."

First I thought that may be this is just me being paranoid. So I compared
their terms of service with Evernote's[2] and summarize the differences for
them in the support ticket asking termination of my account. I reproduce that
here for reference:

> In Evernote's TOS

> – It's clearly noted that the user retains their Copyright to the content;

> – and the license to Evernote is a limited and they don't "obtain any right,
> title or > interest" other than they point out;

> – they don't require sublicensable and transferable rights to User Content
> which is different than having the rights to share the content with other
> contractual partners (which they require);

> – the agreement on content is irrevocable as long as the content is stored
> on the service.

[1]: [https://www.grammarly.com/terms](https://www.grammarly.com/terms)

[2]: [https://evernote.com/legal/tos.php](https://evernote.com/legal/tos.php)

Edit: Formatting.

~~~
enknamel
Is the grammarly ToS more than a CYA? I think they may do it that way to
protect themselves from being sued after retaining your work. But I don't like
the possibility of them owning your work.

~~~
shervinafshar
I agree that like many of such documents, it is CYA indeed. I don't mind CYA,
but this is just sloppy encroaching legalese gobbledygook.

------
ocdtrekkie
I feel like the first thing we should talk about is how this is effectively a
keylogger, similar to Windows 10's inking and typing setting, albeit with
likely poorer security.

Collecting everything you type into a web browser (or MS Office) and sending
it to them seems like a really bad idea.

~~~
kinkrtyavimoodh
Aren't all password managers keyloggers too?

~~~
ocdtrekkie
I personally stay far away from password managers, especially as browser
extensions. I'd really recommend _everyone_ look at how many of their Chrome
extensions have the permission to "access your data on all websites", and
consider whether or not they _really_ trust the companies or individuals who
made those extensions with that permission.

It's eye-opening to people when I ask them about an extension they have, say
"Honey", and they say they like it because it saves them money. And then I
point out it can access _everything they do online_ , and ask them if that's a
concern or not.

~~~
dokument
> I personally stay far away from password managers

I am curious how you manage your passwords.

~~~
Spooky23
Use an out of band password manager, whose key is never transmitted over a
network. Or a notebook that is physically secured. There are a number of
solutions for password vaults, and you can use a variety of means to
synchronize them if needed.

The notion that it's a good idea to trust a browser extension for secrets
management is pretty bizarre to me if you're protecting high value assets.

~~~
danieldk
As always, it depends on your threat assessment and what is practically
possible. For the vast majority of users, using a password manager browser
extension [1] is a large improvement over password re-use over dozens of
sites. Most folks will also not want to put in the effort to use an out-of-
band password manager.

(Not directed at you personally, but I often hear such comments from people
who are then perfectly fine to use a password manager in X11, where in a the
default configuration every application can read your keystrokes, screen
grabs, clipboard, etc.)

[1] Preferably one that communicates with an out-of-process password manager
over an authenticated channel like 1Password.

------
boffinism
I nearly missed this bit at the bottom:

> Grammarly had fixed the issue and released an update to the Chrome Web Store
> within a few hours, a really impressive response time.

Nice to see a company take this kind of thing appropriately seriously
(although of course it should never have happened in the first place).

~~~
knute
It seems like it would be more fair for the headline to use the past tense.

~~~
nascar_is_bad
Gotta get that HN karma tho

~~~
ghostbrainalpha
You are getting down votes because HN has a policy that the HN Title should
match the Title on the link to prevent editorializing in almost all cases.

This prevents users from creating click bait headlines to _get that karma tho_
, the majority of the time. Cases where the actual title is the click bait
like this one, are the unintended consequence of that policy.

~~~
dang
That's true, except the guideline reads "Please use the original title, unless
it is misleading or linkbait" and you can argue that once a vulnerability is
fixed, implying it's still there is misleading. So we often edit those titles
to past tense once that's more accurate. Same with "$site is down" -> "$site
was down".

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
marijn
Another nice thing about Grammarly is that the plugin just blindly detect
contentEditable inputs and start screwing with their content. This very much
breaks modern WYSIWYG web editors, which typically expect to have control over
the editable content. Which more or less comes down to "move over page
scripts, I'm a browser plugin, this is _my_ webpage now".

~~~
fareesh
LastPass does this as well to input fields. Made it unusable for me. Haven't
used a password manager since (was a couple of years ago). Has this problem
been solved well recently?

~~~
alanh
I have been a 1Password user since ~2010 and never once has it ever made an
input field or login form unusable for me. (I used LastPass briefly before,
but vastly preferred 1Password's native apps and more secure architecture,
which was completely validated when LastPass was hacked a few years later)

------
tomswartz07
I have no idea if it's still an issue, but ~1.5 years ago, I was sorting
through my email, and discovered that a small plain text message was taking up
>3MB in my inbox.

I dug in a bit, and it turns out that Grammarly was embedding a gigantic
amount of code into the email messages in the form of stylesheets and other
things.

Needless to say, after raising it up the chain, we had the extension blocked
company-wide.

~~~
nijaru
I uninstalled it a couple of years ago when I realized it was doubling the
load times for every single page I visited. That embedded code is probably
why.

------
owurkan
Although as a non-native speaker I find their service very attractive, I've so
far refrained from installing their apps/extension. I was never confident
enough about how Grammarly would keep safe every word I type (emails,...).
This bug is a confirmation I should not trust them or any similar service.

~~~
superasn
I tried it and my browsing exeprience was just terrible. It made Chrome so
slow that there was a delay in typing and the character appearing. Haven't
tried it again.

~~~
pault
This was my experience as well. I don't know how anyone is able to use it; it
brought my 2017 MacBook pro to its knees every time I would start writing a HN
comment. I uninstalled it after about 5 minutes.

~~~
mapcars
No issues with speed or anything, chromium, linux.

~~~
wccrawford
I had no speed issues here, either. Chrome, Windows and OSX.

That said, I removed it because the button in the lower right kept getting in
the way of things like resizing the textarea.

------
kuschku
This, just like Mozilla’s screenshot addon, and all the other examples, shows
why it’s an insane idea to mix addon content with the websites, and why it’s
important to make sure that addon content can run on the UI layer of the
browser, and not within of the content of the sites.

Relying on "best practices" is always a security disaster waiting to happen,
if you don’t enforce security and separation in the design of the APIs and
languages already, you won’t get security.

~~~
MaxBarraclough
> it’s important to make sure that addon content can run on the UI layer of
> the browser, and not within of the content of the sites

I don't get this thinking at all. Browser addons are trusted. That's the point
- they have special privileges to adjust browser behaviour.

If you go around installing malicious addons, you get no more sympathy from me
than if you'd gone around installing malicious kernel modules.

~~~
kuschku
The problem is the opposite.

For example, Firefox’ screenshot addon would inject HTML into the page, and
then the page could take the screenshot’s data and use it.

Addons currently have no way to reliably display their own UI on top of the
page, without the page intercepting it.

~~~
MaxBarraclough
Oh, right, I didn't get that from your original comment.

I agree, addons' workings shouldn't be exposed to untrusted websites.

------
xg15
I think Chrome's (and now Firefox') awkward extension sandboxing is partially
to blame, though.

When you add an extension page script, you get access to a page's DOM, but
you're completely isolated from the page's own JS: You get your own JS context
and window object without any modifications the page may have done to it.
That's usually reasonable as a page can mess with the built-in methods of its
context, so if an extension were to rely on them, the risk of privilege
escalation attacks would be really high.

Except sometimes an extension _does_ want to interact with the page JS, (e.g.
for accessing data the page only keeps in JS objects but not in the DOM.)

As far as I know, there is no safe way to do this in Chrome. The recommended
(!) way is to inject a script element into the DOM and exchange data with the
page script via some makeshift communication channel, e.g. postMessaging
yourself. This will of course drop you right back into the hall-of-mirrors of
potentially manipulated builtins that the page script isolation was trying to
keep you out of. But apparently now it's ok if you have to deal with that by
yourself.

From the looks of it, it seems Grammarly tried to open exactly that kind of
communication channel and didn't correctly secure it.

~~~
bzbarsky
> I think Chrome's (and now Firefox')

Chrome and Firefox have _very_ different behaviors here.

In Chrome, there is no way at all to get hold of the page's JS objects.

In Firefox, the default behavior is that you don't interact with them, but you
can explicitly ask for them and once you have them you can work with them.
Depending on what you do with them, you may or may not be creating security
bugs, of course.

Critically, in Firefox you can have your separate clean builtins _and_ be
interacting with actual page JS objects at the same time.

There are arguments for and against both models, of course.

------
rwx------
I never felt comfortable using SaaS for checking the grammatical mistakes. If
you are linux user then "the language tool" is your best option.

[https://languagetool.org/](https://languagetool.org/)

you can download it and run it as stand alone application

~~~
qubitcoder
Thanks for this suggestion. Unfortunately, LanguageTool failed to catch some
basic errors, like subject-verb agreement. E.g.

    
    
      I'll close the ticket once the item have been completed.

------
scosman
What's the etiquette for disclosure timeline on something like this? It feels
like 99.9999% of end users won't see this public disclosure, and waiting
enough time for auto-updates to be applied would be ideal. Public disclosure
as soon as the patch is available lets bad actors know about it while the vast
majority of users are still vulnerable.

~~~
tedivm
Project Zero is very aggressive about releasing exploit details as soon as a
patch is available- they don't wait for users to actually have a chance to
upgrade. This caused some drama when they were releasing vulnerabilities to
password managers.

~~~
jwilk
In the free software world, full disclosure when the fixed version is
available is a normal practice. Partial diclosures are rather frowned upon.

------
mathgeek
TL;DR: update your Grammarly plugins so that you get the fix to this issue.

~~~
cirowrc
Maybe I'll sound stupid, but is it possible to force an update of a chrome
extension without removing it and then adding it again from the store? Is that
application-specific?

thx!

~~~
bfred_it
Yes, after you enable Developer mode:
[https://i.imgur.com/Uehu1As.gif](https://i.imgur.com/Uehu1As.gif)

------
alanh
So… I of course had no specific idea about this, but in 2014(?) I declined
recruiting pursuits from Grammarly after realizing that their developers were
almost entirely managed from another hemisphere. It sounded like a very top-
down, low-collaboration, anti-engineer environment. I am not at all surprised
that major issues like this can and would occur in such an environment.

------
yeukhon
I am waiting for the typical "CEO of Grammarly here. I will answer any
questions you may have" comment, but I guess not.

~~~
chipperyman573
Not everyone reads hackernews

~~~
shervinafshar
I'm sure someone at that company does.

------
joemag
Between this disclosure and grammarly.com, I've been trying to understand how
Gramarly works, and therefore understand the impact of this event. Let me know
if i got this right:

1) Grammarly is a fancy grammar/spelling correction tool.

2) You use it by opening an account, and installing their browder extension.

3) As you type text into a web page, the extension sends that input back to
Grammarly, where their software analyzes it and provides correction
recommendations.

4) The text that was sent back is persisted under your account, and is
available for retrieval.

5) A software bug in their extension allowed a script on any site to see your
Grammarly auth token.

6) As the result, any malicious site could log into your account, and see what
you've been typing.

Is that the rough gist of it? If yes, then how in the world does #4 make any
sense? Why store and expose that data, knowing that it's likely to contain
troves and troves of sensitive and PII information...

------
jordache
garmmarly perhaps ranks up there amongst the most annoying startup names.

------
peterhadlaw
Kind of tangential, but does anyone else worry that systems like these will
start to dictate what is "correct" language. Basically pushing narratives
subtly through "correcting" totally acceptable speech.

~~~
ggg9990
Most people with any writing capability do not use these tools. They are for
foreign speakers of English or extremely poorly educated native speakers, they
only affect the bottom 50% of written content which is not what affects the
development of language.

~~~
klibertp
Um, I just wrote a lengthy comment about how this is not exactly the case:
[https://news.ycombinator.com/item?id=16322795](https://news.ycombinator.com/item?id=16322795)

It's only mentioned in the comment, but the amount of mistakes in tech-related
writing, by native English speakers and otherwise, is gargantuan and
overwhelming, and I'd wish using something like Grammarly (if safe, open
source and so on) was a requirement for putting your writing on the web.

As it is, the quality of writing is so bad, that I (as a foreign speaker)
don't improve my English in any way by reading it, and I have to be very
careful not to repeat these mistakes in my own writing later.

------
djsumdog
Are there any good open source grammar checkers for English? Spanish? German?

I recently loaded Wordperfect for Win3.1 into a Win3.1+Dosbox instance because
I remember it's grammar checker back in the 90s was far superior to what's
built into MS Word today. I've been meaning to test it out and do a comparison
blog post.

~~~
ivanfon
There’s LanguageTool, a wonderful open-source tool. I’ve only used it for
English, but it supports a lot of languages. There’s also addons for a lot of
editors.

[https://languagetool.org/](https://languagetool.org/)

------
pvdebbe
The day I heard about Grammarly (saw a Youtube ad). Free to use, I thought to
myself, this surely monetizes by analysing all my input in their servers,
wherever they are.

It looks like a good product. If they offered a true offline version for
desktop with 4+ updates a year, I could see myself paying for it.

------
blackRust
It doesn't say anything about token rotation and lifetime. Is there any
information directly from Grammarly?

How long are those tokens valid for?

Did they invalidate all existing tokens?

------
Sephr
bit.ly had a similar vulnerability that I detected in 2008 through their
bookmarklet. Unfortunately it seems I lost my exploit PoC.
[https://eligrey.com/blog/bitly-
vulnerabilities/](https://eligrey.com/blog/bitly-vulnerabilities/)

------
watertom
I blocked Grammarly at my last company, nothing like giving a company tracking
access to everything you type or read, and their EULA gives them the rights to
everything they track.

Using Grammarly is stupid, paying them is downright insane.

~~~
ocdtrekkie
We block extensions, period, on Google Chrome, as it prevents most malware
outright. But then we've also discovered Grammarly's Microsoft Office plugin
installs to the user folder (without requiring admin rights) as well. I've
made a request to our antivirus vendor to add detection and blocking of
Grammarly specifically, for the moment we're detecting it a different way.

~~~
stryk
May I ask how you're detecting it? If you can't say [or don't want to] for
whatever reason that's fine, I'm merely curious is all.

~~~
ocdtrekkie
We have a couple different layers we can work with here, both on the computers
and the network.

~~~
Moter8
He asked for a specific thing, and you answered with nothing at all.

~~~
iooi
What if GP was working for Grammarly and wanted to avoid detection?

~~~
stryk
I do not, but that's not an invalid concern.

------
alishan
How did they fix it?

~~~
mkagenius
Should wait to see if data was compromised, they can fixed the extension
though.

------
_pmf_
That's almost as pathetic as their "Lily the Social Media Manager" ad.

------
szbelieves
Its not surprising what so ever, where's that ad money coming from? Must be
shady practices.

~~~
evan_
They sell a “pro version” with extra features.

