I feel like the first thing we should talk about is how this is effectively a keylogger, similar to Windows 10's inking and typing setting, albeit with likely poorer security.
Collecting everything you type into a web browser (or MS Office) and sending it to them seems like a really bad idea.
Why is this story not bigger news? Grammarly is excreting ads into my eyes before nearly every YouTube video I watch, yet I don't see any mainstream sites covering this.
Mostly because cloud-connected keyloggers are mainstream. As I mentioned, Windows does it if you have their "inking and typing" setting enabled. A lot of mobile keyboard apps do it, especially if they say they use the cloud to help correct your typing.
Of course, in the case of Microsoft or Google, you presumably either have disabled the setting or you place your trust in their security practices that it is okay, because they are top tier companies, and most people send them all their private data anyways.
There are a LOT of things out there that collect everything you type these days, and rarely to people want to define them as keyloggers.
When people want privacy they will inevitably have to give up usability. I ditched Swiftkey for an open source Android keyboard that doesn't connect online or asks for any permissions. Its CRAP but it doesn't leak.
I can't speak for GP, but I switched to Hacker's Keyboard[1] which doesn't support gesture typing. I'm pretty happy with it, though it's pretty barebones (it doesn't even turn on the phone's radio). Took a bit getting used to -- the recommendations are different and it felt like the key hitboxes weren't the same as gboard, but it felt pretty familiar after a couple of weeks.
You should check out MessagEase keyboard. It is so accurate for me that I don't even need corrections. It takes a little bit of time to get used to, but once you get the hang of it, it's super fast.
top tier doesn't necessary mean better security. Your data being accessible from the cloud is a security risk by itself and these companies are huge targets for hackers, and will share your data with state actors, or worse advertisers, for-profit data miners et.al.
Keylogging is just the beginning. Any (and many) browser extensions have the ability to record everything you do on every page you visit. All it takes is specifying the <all_urls> permission in the extension’s manifest and adding some event listeners.
It has to work this way or browsers wouldn’t be truly extensible. Be mindful of which extensions you install.
It's ridiculous that we're at this point where using a handful of software applications means keeping up to date with the social life and financial situation of the developer, reading changelogs, etc.
And you only can spare both the time and cognitive load to do this for at most a dozen or two applications, if you really care. The rest, you just have to trust that enough other people are watching carefully.
But the average person isn't going to keep up with even one application. They only bought their computer so they could browse the web and check emails, not so they could learn the details of how it works.
Likewise, most of us don't buy a car in order to spend a lot of time learning about exactly how a combustion engine works. We don't have the time.
Granted, this board is laden with engineers who will make the time to understand how their tools work, but we simply cannot expect this kind of effort from most people.
So, like we have to trust lower-level components to be scrutinized elsewhere, and trust we will be alerted in case of critical issues, the general population must trust the "nerds" to get things right and keep them safe.
This means that typically, the best attack surfaces will be small, widely-distributed, low-level software stacks whose developers can easily be compromised. Not just software either, but hardware.
It does seem like this is ultimately a battle we are going to lose without regulatory legislation in domains that require mass-deployment of software that can potentially breach Constitutional rights. In order to be federally qualified as "privacy-friendly", you have to meet certain guidelines both on a hardware and software level. This would include automatic transmission or collection of certain kinds of data without very express permission.
I completely agree with you. Unfortunately, legislation has been stuck in the 80's for the most part, and while I understand why, it can be frustrating.
On iOS you currently have to explicitly allow network access to third party keyboards in the settings app (the not very clearly named "Allow Full Access" toggle), which as others have pointed out, is disabled by default on all newly installed keyboards. I have no idea how this works on other popular mobile device platforms.
I've not found time to try any of them yet so I can't comment on how they compare to Grammarly, but there are F/OSS alternatives.
https://languagetool.org/ for one supports running your own instance of the server-side portion out-of-the-box. You could run it truly locally assuming your device is appropriate, or your own server which might be more flexible as you can support a greater range of devices and share custom dictionaries between them.
I, for one, don’t really care if someone has written to me in the passive voice. Or is changing tense. The message is still received. If it will mean they are more secure that way, then I will allow it.
It doesn't. How many times haven't colleagues asked, 'how did you do that in vim?' Only for me to stutter and literally having to repeat the command while looking at the keyboard?
Realized this when it wanted to install the plug in. Pretty much installed it. Used it for what I needed then uninstalled. They have a word plugin which I believe needs to be explicitly turned on so that’s a better use.
No. 1Password, as far as I know, doesn't trigger anything until after I've given it the OK to do its thing. It can input passwords when I allow it to and it saves the password only after I've confirmed that it's ok to. It's possible that they're secretly logging everything in the background but that seems to be completely antithetical for a company that requires the trust of its users for its product to sell.
I personally stay far away from password managers, especially as browser extensions. I'd really recommend everyone look at how many of their Chrome extensions have the permission to "access your data on all websites", and consider whether or not they really trust the companies or individuals who made those extensions with that permission.
It's eye-opening to people when I ask them about an extension they have, say "Honey", and they say they like it because it saves them money. And then I point out it can access everything they do online, and ask them if that's a concern or not.
As an open-source extension developer, I wish there was a way to prove that the extension uploaded is generated from a specific git commit. It wouldn't solve everything, but it would make it easier for anyone to audit the code and know that it actually matches the code I've uploaded.
Indeed. I was thinking about this, and would argue this should really not only exist... but be the only way extensions with this level of wide-sweeping access should be permitted to be published.
Chrome team, if they were security-focused, would not permit any closed source extensions which have access to all website data.
People don't seem to understand sometimes that if an extension has this sort of access, you need to be able to trust your browser extensions as much as you trust your browser itself.
Use an out of band password manager, whose key is never transmitted over a network. Or a notebook that is physically secured. There are a number of solutions for password vaults, and you can use a variety of means to synchronize them if needed.
The notion that it's a good idea to trust a browser extension for secrets management is pretty bizarre to me if you're protecting high value assets.
As always, it depends on your threat assessment and what is practically possible. For the vast majority of users, using a password manager browser extension [1] is a large improvement over password re-use over dozens of sites. Most folks will also not want to put in the effort to use an out-of-band password manager.
(Not directed at you personally, but I often hear such comments from people who are then perfectly fine to use a password manager in X11, where in a the default configuration every application can read your keystrokes, screen grabs, clipboard, etc.)
[1] Preferably one that communicates with an out-of-process password manager over an authenticated channel like 1Password.
I love passphrases and mnemonics. There are passwords that I retired out of anywhere they existed several years ago that I will probably never forget as long as I live. And not only is it easy to create memorable passphrases, and they're fairly long, you can then combine your passphrases in interesting combinations to get even more passwords that you probably will never forget.
Beyond that, the "never reuse passwords" adage is horribly oversold. If it handles my money, my email, or my web hosting, it needs to be unique. Passwords for places I comment are commonly reused and not as sophisticated because it is not seriously impactful to me if someone gets a hold of them.
Reuse passwords for sites that can't meaningfully harm you if they get compromised. Minimize how many accounts can harm you by not saving your credit card info in most of them, uncheck that box when you pay for stuff.
I'm also insanely liberal about deploying 2FA. I have it everywhere it's available, even sites with common/stupid passwords. So a lot of sites I don't bother with unique passwords will still be somewhat protected if my password is compromised. I'm also subscribed to haveibeenpwned with every email address I've ever used for anything.
A Chrome extension even with all available permissions doesn't have access to your password manager. (It could record the passwords as they're typed or autofilled into a webpage, but it doesn't make a difference whether you're using your browser's password manager or typing it yourself there.)
I am too paranoid to use them, but, from what I read (regarding the biggest one):
"LastPass encrypts your Vault before it goes to the server using 256-bit AES encryption. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data"
If there is an attack still possible (even using LastPass employees) can you post it here?
At a glance what they have in common is flaws in the scripts that the LastPass extension injects into pages. The injected scripts can communicate with the extension core with a set of RPCs. Each of these issues is a way of tricking the extension into running RPCs from untrusted JavaScript on any web page. The RPCs available allow an attacker to fetch the credentials for any site in the database or even execute arbitrary code on the host.
Not sure if you're using the credential "autofill" feature, but somewhat recently there was an attack in which their autofill extension could be tricked into "autofilling" specific sites' credentials on a malicious webpage. (Not sure if this has been fixed by LastPass)
The fix for that was to not use autofill and revert to manually grabbing your username/password when filling out a login form.
Aside from that, I am not aware of other "hot" attack vectors.
LastPass has been very diligent in fixing issues like the one you list. Usually very quickly (sometimes in hours, not even days.) And most of the issues you've read about with LastPass have been fixed before being disclosed because of how responsive they are.
Users still need to practice skepticism and ultimately it is their responsibility to protect their passwords. But LastPass has been a very good citizen when it comes to being as secure as possible.
I would not say "as secure as possible" since the risks introduced by a browser extension are very real. Though the alternatives lately are impractical for non-technical users
I used LastPass for a while. Then it filled in my username and password (correctly) on a website without my having authenticated... It looks like there's an unencrypted local cache which is not flushed when your authentication expires or you log out. I wasn't able to reproduce it but I was sufficiently spooked to stop using it after that.
Not even close. For instance check out password-store. It's a cli that uses gpg to store passwords. You can install an open source browser extension, but it only allows you to login easily and is manually triggered. It only connects to your local password-store.
Collecting everything you type into a web browser (or MS Office) and sending it to them seems like a really bad idea.