 So the notoriously good Tavis Ormandy at Google's Project Zero, the security research arm of Google, that takes a look at a lot of programs and tries to put holes in them. Well he found another one and it's pretty big hole over at Grammarly. Now I figured I'd talk about this because I've recommended it and it's still a good program and I really want to cover the back and forth response and what actually is happening. Because Grammarly hacked what might be the title but let's talk about what's hacked because it's not the entire thing and it's not doom and gloom headline grabbing as people might think. So Tavis found a problem with the Grammarly Chrome extension which is to help, is a tool to help you with your grammar which I'm bad at, I've used extension before, it's very helpful. The Grammarly Chrome extension which has approximately 22 million users exposes all of its token authentications to all websites therefore any website can log into Grammarly.com as you and access all of your documents, history, logs, and all other data. I'm calling this a high severity bug because it seems like a pretty severe violation of users' expectations. Users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites and he has all the details of how to reproduce it and I'll leave a link to this in the description below and in short basically you could take a session cookie, pull it from Grammarly for a particular user and then reuse it to log in. Now, this is part of the Grammarly plug-in but it's not the plug-in itself that was compromised so let's get down to the security details of it. It was the login for app.grammarly.com and the files like this. So I have these test files which are actually from when I did my review I've never logged back in because when I use Grammarly I use it as a browser extension to do checking of my grammar inside of text box and things like that so when you're editing places it will edit that. Well that's cool but that being said if you are uploading things to here people could log in and they could see your profile they could see if you were saving documents in here and using their editor. I don't really know why I would use it but whatever that's it's a feature you could have and obviously they shouldn't be able to log in. Now the good news is how Grammarly responded so it took them about 24 hours to patch this and per Grammarly on our website the security issue has been resolved at this time Grammarly has no evidence that user information was compromised by this issue. The bug potentially affected text saved in the Grammarly editor so unless you were saving things in Grammarly editor if someone were to use this bug which it's kind of a loose thing here we didn't see it actively exploited in a while but anyone could have done it so there's that so something to think about. That being said excellent response by them they owned up to the problem admitted there's a problem fixed the problem within 24 hours and there's also a thread in here and it does appear to be fixed even Tavis has commented on this so Grammarly had fixed the issue released the update to the Chrome Webster within a few hours it really impressive response time. I verified that Mozilla now also has the update so users should be able to auto update the fixed versions I'm calling this issue fixed so it has been closed and once it was closed it was publicly released about what happened which is part of the the whole disclosure for vulnerabilities now this does bring up some concern because if Grammarly can see everything that's being typed and if you're typing things that are confidential and they're using that for spell checking you really want them to be secure but it's also thinking about that all that data could be flowing in the Grammarly now good news is once Tavis has taken a look at a product he generally takes a pretty thorough look at the product so there may be other pieces of this that get looked at which is great that's kind of what I like to see and he generally picks security projects that affect a large user base and I want to bring that up because some people tell me about things that they think are secure or not secure and they go well no one ever found the flaw it's never had a major breach I'm like yeah but if it doesn't have a big user base and you don't have people like Tavis or maybe looking at it because you know if security researchers really want to be famous they generally go after large install based products that's just the way it works or when there's a large bounty attached to some of those products you know for finding bugs if you just develop your own security stacking you're like it's never been hacked it must be secure until someone really spends the time where you either pay a security team to audit your stuff doesn't mean it's secure so I'm excited when I see him diving into this because he's dove into some problems at last pass and found some obscure flaws in last pass but I feel better today about last pass as a system because Tavis who came up with some really obscure ways to mess with last pass they were fixed right away the response last pass was immediate and they were really non arbitrary things they weren't trivial like this to exploit they were they required a series of steps to compromise your computer in order to compromise last pass so it's important to think about that I've done two different videos on last pass hacked I can link them in description as well but it's something to consider when you're looking at these so I don't think that primarily is a insecure product but it's just something to keeping your mind because it does authorize it to read everything that you type in your browser so what are you typing your browser is something you would be worried about being spell checked so just want to throw those thoughts out there but let you know that the details of it a little different than I see in some of the headlines were the Grammarly hacked well they could get into your website which is bad but not as bad as them and we'll get everything you ever typed in every browser everywhere it's only things you saved into our website people had access to that we know of and but don't worry if he's taken one look at the product generally we see a release of vulnerabilities or disclosures on those products he's very persistent we'll say for sure so but in the end we all want better products that are more secure and better coded so we can use them with better trust so hopefully this was insightful and covers some of the Grammarly hack but it's something definitely to think about but good news it's fixed so if you're using chrome at the browser plugins auto update and you've been it's been fixed in the whole system hopefully all works well now so thanks for watching if you like to kind of hear like and describe and like I said I'll leave a description is so you can read it for yourself I don't want to hide anything or sugarcoat any of this thanks