Grammarly Browser Extension Vulnerability Exposed All User Documents to Websites

On February 2, 2018, Google Project Zero security researcher Tavis Ormandy discovered a critical vulnerability in Grammarly's browser extension that exposed the complete document history of all 22 million users to any website they visited. The vulnerability stemmed from improper authentication implementation in the extension's communication with Grammarly's servers, where only cookies were used for authentication without proper origin validation. The technical flaw allowed any website to access Grammarly's text editor interface and retrieve all documents associated with a user's account through cross-site request forgery attacks. This meant that malicious websites could silently access users' complete document libraries, including sensitive corporate communications, legal documents, medical records, financial information, and personal correspondence that users had processed through Grammarly's AI writing assistant. Ormandy demonstrated the vulnerability by creating a proof-of-concept that could extract user documents within seconds of a user visiting a malicious website. The exposure was particularly severe because Grammarly's AI tool is widely used by professionals, lawyers, journalists, and business executives who frequently process highly sensitive and confidential documents through the service. Upon notification, Grammarly immediately disabled the affected extension functionality and released a security update within hours. The company confirmed that the vulnerability had existed since the extension's launch but stated they found no evidence of active exploitation. However, the incident highlighted the significant privacy risks inherent in AI writing tools that maintain persistent access to user content for analysis and improvement purposes. The incident raised broader questions about the security practices of AI writing assistants and browser extensions that process sensitive content. Grammarly's response included implementing additional security measures, conducting a comprehensive security audit, and working with security researchers to improve their vulnerability disclosure process.