Should There be a Hyphen in “Cyber Attack”? Don’t Let Grammarly Decide for You
Over 20 million writers use Grammarly to check spelling, grammar, punctuation and word context. In exchange for a simple registration and a willingness to view advertisements, users receive a browser extension enabling them to quickly submit an email or paper to a virtual copy-editor who immediately replies with perfect English-language fixes. Grammarly proclaims that it “helps you write mistake-free on Gmail, Facebook, Twitter, LinkedIn, and nearly anywhere else you write”, but apparently that’s not all it does.
Seems that even in digital grammar school there is no free lunch.
In recent news, a Google researcher alerted the public to a new potential hack. Grammarly’s extensions to Chrome and Firefox expose authentication tokens more clearly than a squiggly red underline.
Register with Grammarly, download the free browser extension, use the service a couple of times and, faster than you can write “the quick brown dog jumped over the lazy fox”, you are exposed. With only 4 lines of Java code, other websites that you visit can get hold of your authentication information. The code simply creates a token that matches the Grammarly cookie sitting on your PC, enabling someone else to impersonate you on the grammarly.com website, with access to all your documents, history and more.
How significant is the danger?
I’d give it a low grade.
While we wouldn’t want our documents or email history exposed, the chances of this sort of breach are quite low. Even lower now, as Grammarly and Google got out their red pens over the weekend and quickly remedied the problem. If you are a current Grammarly user, your extension will be fixed automatically via a security update. After that, you should be covered.
Of course, if your PC is on a company or campus network where the IT people have implemented Remote Browser Isolation (RBI), this vulnerability was put in detention even before “Zero Day”. With RBI, all the websites that you visit, Grammarly among them, are executed in isolated containers within a remote “safe zone” and rendered as safe content streams that are sent to your PC, clean as a whistle. When the user closes a tab or stops browsing, the container is discarded along with any malicious code picked up from the site.
With RBI, you don’t have to worry about hackers and malware penetrating the corporate network via the browser. You’re only concern is whether your mixing up homonyms again.