Tech & Science Grammarly's flawed Chrome extension exposed users' private documents

10:12  06 february  2018
10:12  06 february  2018 Source:   zdnet.com

How Secure Is Your Data When It’s Stored In The Cloud?

  How Secure Is Your Data When It’s Stored In The Cloud? Storing data in the cloud is convenient, but how secure is it? And what are users' options for stepping up their data security?As cloud storage becomes more common, data security is an increasing concern. Companies and schools have been increasing their use of services like Google Drive for some time, and lots of individual users also store files on Dropbox, Box, Amazon Drive, Microsoft OneDrive and the like. They’re no doubt concerned about keeping their information private – and millions more users might store data online if they were more certain of its security.

Grammarly has fixed a security bug in its Chrome extension that inadvertently allowed access to a user ' s account -- including their private documents and data. Tavis Ormandy, a security researcher at Google' s Project Zero who found the "high severity" vulnerability

You are using an older browser version. Please use a supported version for the best MSN experience. Grammarly ' s flawed Chrome extension exposed users ' private documents . ZDNet 2/6/2018 Zack Whittaker.

(Image: file photo)© ZDNet (Image: file photo) Grammarly has fixed a security bug in its Chrome extension that inadvertently allowed access to a user's account -- including their private documents and data.

Tavis Ormandy, a security researcher at Google's Project Zero who found the "high severity" vulnerability, said the browser extension exposed authentication tokens to all websites.

That means any website can access a user's documents, history, logs, and other data, the bug report said.

"I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations," said Ormandy, because "users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites."

Twitter notifies more users exposed to Russian propaganda

  Twitter notifies more users exposed to Russian propaganda Twitter Inc said on Wednesday it had expanded notifications to about 1.4 million people, who were exposed to content generated by a suspected Russian propaganda service. The company had said earlier this month it would email 677,775 people in the United States who followed, retweeted or liked content from accounts associated with the Internet Research Agency (IRA) during the election.The IRA is a Russian organization that according to lawmakers and researchers, employs hundreds of people to push pro-Kremlin content under phony social media accounts.

You are using an older browser version. Please use a supported version for the best MSN experience. Grammarly ' s flawed Chrome extension exposed users ' private documents . ZDNet 2/6/2018 Zack Whittaker.

You are here: Home ∼ 2018 ∼ February ∼ Grammarly ’ s flawed Chrome extension exposed users ’ private documents . That means any website can access a user ’s documents , history, logs and other data, the bug report said.

In proof-of-concept code, he explained how to trigger the bug in four lines of code.

More than 22 million users have installed the grammar-checking extension.

Ormandy filed his bug report Friday, subject to a 90-day disclosure deadline -- as is the industry standard. Grammarly issued an automatic update Monday to fix the issue.

700,000 fewer apps on Google Play as they clean up the store

  700,000 fewer apps on Google Play as they clean up the store Android users have more than 3,500,000 ‘approved' applications to choose from on Google Play but they need to be smart about which they select to ‘open' themselves up to.  The online community is no different to the offline one, there are always a few bad apples. In the case of app developing, those ‘few' are quick to multiply and this has led to 700,000 malicious apps being booted out of Google Play in 2017. Some were immediately seen to have violated Google Play's policies, whereas others may have been better at disguising themselves.

Remember the human You are advised to abide by reddiquette; it will be enforced when user behaviour is no longer deemed to be suitable for a technology forum. Even without the flaw , it' s a security problem.

You are here: Home ∼ 2018 ∼ February ∼ Grammarly ’ s flawed Chrome extension exposed users ’ private documents . That means any website can access a user ’s documents , history, logs and other data, the bug report said.

Ormandy has in recent months examined several vulnerable web browser extensions. Earlier this year, he found a remote code execution flaw in the Cisco WebEx Chrome extension, and a data-stealing bug in the popular LastPass password manager.

A spokesperson for Grammarly did not immediately return a request for comment.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Google explores texting from your browser .
Google's Android Messages app could soon get a dramatic makeover with some interesting new features, judging by an APK teardown by XDA Developers and Android Police. Unlike Allo, however, Android Messages could allow you to send mobile SMSes rather than web messages, making texting a fair amount easier. To use it, you may have to scan a QR code on your PC or Mac, then pair your device each time you want to text. The feature appears to be partially implemented in the latest Android Messages 2.9 APK, but you can't yet send an actual text.

Source: http://au.pressfrom.com/news/tech-and-science/-54483-grammarlys-flawed-chrome-extension-exposed-users-private-documents/

—   Share news in the SOC. Networks
This is interesting!