| CSRF Vulnerability

I  have discovered a new CSRF vulnerability on web site which could allow an attacker to insert items (Words/Phrases/Urls and related translations) into the user’s Phrasebook. Furthermore an attacker could also insert a potentially malicious Urls – into the above mentioned Phrasebook – towards which the victim could be redirected simply clicking on the “Go to <website>” right-click option on
The vulnerability is related to a problem into the generation of “xt” anti-CSRF token which is not correctly associated with the user session, allowing an attacker to use any previous generated anti-CSRF parameter – for that specific user- in order to carry out this attack.

For more details, please read my original Advisory:
CSRF Vulnerability on

My research has been also published on PacketStorm:
Google Translate Cross Site Request Forgery

Update (15 August, 2013): I received an email by Google Security Team:

This issue has been fixed and verified by a security engineer – feel free to test and see if we’ve missed anything.
Thanks for all your help!

Google Security Team