ICT Security-Sécurité PC et Internet

Have you watched a YouTube video lately in a country where English is widely used?

If so, we’re willing to bet that you’ve seen an advert for Grammarly, an online spelling and grammar checker.

In fact, we’ll suggest you’ve seen the Grammarly ad many times, perhaps even very many times – we certainly have.

The ads seem to be working, with the product currently closing in on 1,000,000 installs in Firefox, and already claiming more than 10,000,000 in Chrome.

As the product pitch in the Firefox add-on store explains:

Once you register your new account, you will start to receive weekly emails with personalized insights and performance stats (one of our most popular new features). Working on a large project, an essay, or a blog post? No sweat. You can create and store all of your documents in your new online editor.

In other words, your Grammarly account ends up knowing a lot about you, and holding copies of a lot of what you’ve written.

A security hole in Grammarly could therefore tell crooks much more about you than you’d like them to know.

Learn more / En savoir plus / Mehr erfahren.

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Grammarly

Grammarly has fixed a security bug in its Chrome extension that inadvertently allowed access to a user's account -- including their private documents and data.

Tavis Ormandy, a security researcher at Google's Project Zero who found the "high severity" vulnerability, said the browser extension exposed authentication tokens to all websites.

That means any website can access a user's documents, history, logs, and other data, the bug report said.

"I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations," said Ormandy, because "users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites."

In proof-of-concept code, he explained how to trigger the bug in four lines of code.

More than 22 million users have installed the grammar-checking extension.

Ormandy filed his bug report Friday, subject to a 90-day disclosure deadline -- as is the industry standard. Grammarly issued an automatic update Monday to fix the issue.

Ormandy has in recent months examined several vulnerable web browser extensions. Earlier this year, he found a remote code execution flaw in the Cisco WebEx Chrome extension, and a data-stealing bug in the popular LastPass password manager.

A spokesperson for Grammarly did not immediately return a request for comment.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=DATA-BREACHES