Grammarly: auth tokens are accessible to all websites The Grammarly chrome extension (approx ~20M users) exposes it's auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data. I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations. Users self-evidently would not expect that visiting a website gives it permission to access documents or data they've typed into other websites. Reproduce: Here is how to repro, on any website (e.g. example.com) type this in the console to get a grammarly auth token (obviously a website could do this with