+------------------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : Google Translate CSRF Vulnerability # Date : 06/20/2013 # Author : Ivano Binetti (http://www.ivanobinetti.com) # Affected Web site : http://translate.google.com # Original Advisory: : http://www.webapp-security.com/2013/06/translate-google-com-csrf-vulnerability/ +------------------------------------------------------------------------------------------------------------------------------------------+ Summary 1)Vulnerability Description 2)Exploit 3)Vulnerability Timeline +------------------------------------------------------------------------------------------------------------------------------------------+ 1)Vulnerability Description I discovered a new CSRF vulnerability on translate.google.com web site which could allow an attacker to insert items (Words/Phrases/Urls and related translations) into the user's Phrasebook. Furthermore an attacker could also inserta potentially malicious Urls - into the above mentioned Phrasebook - towards which the victim could be redirected simply clicking on the "Go to " right-click option on translate.google.com. The vulnerability is related to a problem into the generation of the "xt" anti-CSRF token which is not correctly associated with the user session, allowing to use any previous generated anti-CSRF parameter - for that specific user- in order to carry out this attack. 2)Exploit Following a simply exploit in order to insert, into a Phrasebook, the new phrase "word_example" and the url "www.ivanobinetti.com" (my blog) as translation:
Note: executing the exploit the victim will receive the message to open or download a "sg" file. Even if the victim does not open or download this file the new item will be added into the Phrasebook. 3)Vulnerability Timeline 04/12/2013: Exploit has been sent to Google security team (security@google.com) 04/12/2013: First prompt reply from Google security team telling me that the exploit does not work 04/12/2013: My reply explaining the details of the vulnerability and related exploit 04/13/2013: Google security team contacted me admitting the vulnerability and that they were considering if assign me a reward 04/17/2013: Google security team told me that the vulnerability/problem was already known by Google and that no reward there would been for me :( 06/20/2013: After more than 2 months I checked that the problem is still in place, so I decided to publish the vulnerability