Update: Grammarly Says It Corrected Sign-in Vulnerabilities After Alert From Cyber Researchers
Grammarly, a popular typing assistant, has fixed vulnerabilities that could have exposed user logins. The bugs affected social sign-in through platforms like Facebook or Google and were caused by issues with the implementation of Open Authentication (OAuth). Security company Salt Security discovered the flaws and notified Grammarly and other affected apps. The vulnerabilities could have allowed attackers to leak credentials and take over user accounts. No Grammarly accounts were compromised, and the company welcomed the activity by third-party experts. Salt Security published a report explaining the issues with OAuth and highlighted that many other websites using social sign-in mechanisms may be vulnerable. The technique used by Salt Labs researchers is called "Pass-The-Token Attack." OAuth is widely adopted but issues arise from how it is implemented. Experts recommend using single sign-on solutions instead of social sign-ins.