CVE-2018-6654 in Grammarly Extension
Summary
by MITRE
The Grammarly extension before 2018-02-02 for Chrome allows remote attackers to discover authentication tokens via an 'action: "user"' request to iframe.gr_-ifr, because the exposure of these tokens is not restricted to any specific web site.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/01/2020
The vulnerability described in CVE-2018-6654 represents a critical security flaw in the Grammarly browser extension for Chrome that existed prior to the February 2, 2018 release. This issue falls under the category of improper access control as classified by CWE-284, where the extension failed to properly restrict access to sensitive authentication tokens. The vulnerability specifically affects the extension's handling of cross-origin communication mechanisms, creating a pathway for remote attackers to exploit the insecure exposure of user session data.
The technical implementation of this vulnerability stems from the Grammarly extension's use of iframe.gr_-ifr as a communication channel for handling user authentication requests. When an attacker sends an 'action: "user"' request to this iframe endpoint, the system fails to validate the originating domain or implement proper origin restrictions. This misconfiguration allows arbitrary websites to access the authentication tokens that should remain confined to the legitimate Grammarly extension environment. The flaw essentially creates a cross-origin resource sharing (CORS) vulnerability where the extension's security boundaries are breached through improper input validation.
The operational impact of this vulnerability is significant as it enables attackers to harvest user authentication tokens without requiring any privileged access or complex exploitation techniques. Once obtained, these tokens could be used to impersonate users within the Grammarly service, potentially leading to unauthorized access to personal data, account takeovers, and privilege escalation within the extension's functionality. The vulnerability particularly affects users who rely on Grammarly for sensitive writing tasks, as the stolen tokens could provide access to their entire writing history and personal information stored within the service. This issue aligns with ATT&CK technique T1531 which focuses on use of unauthorized system access.
The root cause of this vulnerability demonstrates a fundamental flaw in the extension's security architecture where proper origin validation was not implemented for the iframe communication channel. The lack of domain restriction checks means that any website can send requests to the Grammarly iframe endpoint and receive responses containing sensitive authentication information. This type of vulnerability is particularly dangerous in browser extensions because they often have elevated privileges and access to user data. The fix for this vulnerability required implementing proper origin validation mechanisms and ensuring that authentication tokens are only accessible to legitimate extension components rather than exposed through insecure cross-origin communication channels. Security best practices dictate that all cross-origin communication should implement strict origin policies and token validation to prevent exactly this type of unauthorized access.