The Chrome and Firefox grammar-checking tool known as Grammarly allowed hackers access to all 22 million of its users. ...
Essentially, every website that the Grammarly user visits steals his or her authentication tokens. This allows the hacker to gain access to the user's account and all sorts of login data. Fortunately, the flaw was fixed on February 5th by the Grammarly Team - an impressive response time given the severity of the situation. An automatic update for all Grammarly users was immediately implemented.
A Grammarly spokesperson also told in an email that the company has no evidence of users being compromised by this vulnerability.
A Grammarly spokesperson admitted they had no evidence about the bug's existence but reassured users that the bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-on, or any typed text from other websites. If you are a Grammarly user, your software was automatically updated and requires no further action.
However, no matter how tight the online security of a software tool is, there are always workarounds. Someone will always find a way to bypass the security of a software tool and gain access to the user data. Any software written or supported by humans (which is most of it for the next decade at least) is subject to misconfiguration.
It's also important to consider the data your entering into Grammarly. If you're editing a note to your doctor or your financial planner, there's more risk. Writing a blog post about Grammarly doesn't carry the same risk. In fact, it's already fixed a few errors in this blog.
Frequently Asked Questions: Grammarly Vulnerability
What happened with Grammarly and spellcheck software in this article?
The Cloud Cover article describes a vulnerability in the Grammarly browser extension for Chrome and Firefox that exposed authentication tokens for roughly 22 million users. With only a few lines of JavaScript, attackers could potentially access personal documents and records tied to a user’s Grammarly account.
Is Grammarly still vulnerable, or was the issue fixed?
According to the article, the flaw was discovered on February 2 and patched by February 5, with an automatic update pushed to all Grammarly users. Grammarly stated they had no evidence of compromised accounts, and the bug did not affect the Grammarly Keyboard, Office add-in, or typed text from other sites.
What does this vulnerability teach us about browser extensions and SaaS tools?
The main lesson is that any browser extension or cloud service that reads your text can become a high-value target for malicious actors. Even reputable tools can have serious bugs, so you should:
- Limit what sensitive information you send through extensions
- Review extension permissions
- Keep them updated and remove ones you don’t truly need
Is it safe to keep using Grammarly and similar spellcheck tools?
The specific Grammarly bug discussed in the article was fixed quickly. However, Cloud Cover emphasizes that no software is perfectly secure—especially tools that process sensitive text. It’s “safe enough” if you:
- Keep extensions updated
- Avoid using them on highly sensitive content (medical, financial, legal, etc.)
- Pair them with good endpoint security and browser hygiene
