$10,500 Bounty: A Grammarly Account Takeover Vector
1 min read
Summary
A researcher called cache-money has discovered a vulnerability in Grammarly’s single sign-on (SSO) system that could have potentially led to service denial and account takeovers.
Grammarly’s Business version includes SAML-based SSO, which allows organisations to manage centralised access, with a unique entityId set up for each organisation for secure login via corporate identity providers.
However, the system did not properly sanitise or validate entity IDs, leading to inconsistent handling of entityId values.
This meant that a bug could be triggered if the entityId plus a trailing space did not equal the same entityId.
The researcher was awarded a $10,500 bounty for uncovering the bug.
This case highlights the need for consistent and rigorous validation and sanitisation of data throughout any integrated software system.