The bug is in the website’s “translate a document” feature.Madrid-based Francisco Javier Santiago Vazquez, a security auditor for Mnemo, has discovered a cross-site scripting (XSS) vulnerability in Google Translate’s interface.
According to Mr. Vazquez, the vulnerability is in Google Translate’s “translate a document” feature, which allows users to translate text-based documents without having to extract and copy-paste the text beforehand.
Mr. Vazquez says that malicious code added to documents uploaded via this site feature would allow third-parties to carry out attacks on the victim’s computer.
The easiest way to take advantage of this issue is to manipulate HTML files and have them host malicious code via inlined JavaScript. Other file types capable of hosting inline JS code may also be vulnerable.
As you can imagine, exploiting this vulnerability is a little bit tricky, since attackers first need to lure a victim into downloading the file onto their computers, opening it, making sure the victim tries to translate it via Google Translate, and via its “translate a document” feature.
Mr. Vazquez says he discovered the flaw at the beginning of the month, informed Google, who responded the very next day.
Google staff informed Mr. Vazquez that they didn’t consider this vulnerability a risk since it was hard to exploit and worked within a sandbox.
They also informed him the vulnerability was not eligible for its bug bounty program. Softpedia has contacted Mr. Vazquez for further clarifications on the attack’s capabilities.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
