Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Grammarly, a Chrome extension that provides grammar checks, had a security flaw that exposed users’ documents.
  • The flaw may have risked personal files and information, and may have extended the vulnerability to company information if installed on business devices.

A security flaw in Grammarly Chrome extension may have inadvertently made users’ private documents publicly accessible, according to a bug report.

The Chrome extension’s vulnerability allowed any website to access a user’s authentication tokens, which then provided access to their private documents, history, and data, Tavis Ormandy, a researcher for Google’s Project Zero, said. Aside from risking personal information, hackers could have reached company documents if they were edited in the Grammarly Editor.

SEE: Guidelines for building security policies (Tech Pro Research)

“I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” Ormandy said in his bug report.

The extension, installed by over 22 million people, acts as a grammar check for anything from emails to tweets. The bug was only able to access documents that had been uploaded and worked on in the Grammarly Editor. It only took four lines of code to trigger the flaw, Ormandy found.

Grammarly issued an automatic update on Monday to remedy the issue. A Grammarly spokesperson said they had found no evidence that user data was compromised.

Companies may want to reexamine their security policies regarding extensions used on company devices or when handling company documents to ensure everything is safe.

Shadow IT has been rising in recent years, with more employees bringing their own software and plugins without running it past IT first. An increase of cloud app adoption is one reason its growing, according to an April 2017 Netskope report.