Popular grammar-checking startup Grammarly Inc. has been forced to issue an urgent update to its browser extensions after they were discovered to be exposing user data to malicious websites.

The security bug, discovered by security researcher Tavis Ormandy, affected both the Chrome and Firefox Grammarly browser extensions and leaked authentication tokens that allowed any website a Grammarly browser extension user visited to access a user’s documents, history, logs and all other data.

“I’m calling this a high severity bug because it seems like a pretty severe violation of user expectations,” Ormandy wrote, because “users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”

Ormandy went on to explain that the bug, which affected an estimated 22 million users, was easy to exploit by malicious websites through the creation of a token that gave the attackers access to the data gathered by the extension through just four lines of code.

On the positive side, Grammarly issued updated versions of both the Firefox and Chrome extensions Monday after being made aware of the issue only on Friday, which Ormandy called a “really impressive response time.”

Grammarly, founded back in 2008, has been popular for years among professional writers but has taken off in more recent times thanks to the growing popularity of social media has prompted many people to seek improved spelling and grammar checking tools.

The company raised a surprisingly large $110 million from General Catalyst, Breyer Capital, IVP, SignalFire and Spark Capital in a round announced in May, when it had 6.9 million daily active users. If Ormandy’s estimation of 22 million users of browser extensions is accurate, the company has seen huge growth since then.

Image: Grammarly