The bug is in the website’s “translate a document” feature.Madrid-based Francisco Javier Santiago Vazquez, a security auditor for Mnemo, has discovered a cross-site scripting (XSS) vulnerability in Google Translate’s interface.
According to Mr. Vazquez, the vulnerability is in Google Translate’s “translate a document” feature, which allows users to translate text-based documents without having to extract and copy-paste the text beforehand.
Mr. Vazquez says that malicious code added to documents uploaded via this site feature would allow third-parties to carry out attacks on the victim’s computer.
As you can imagine, exploiting this vulnerability is a little bit tricky, since attackers first need to lure a victim into downloading the file onto their computers, opening it, making sure the victim tries to translate it via Google Translate, and via its “translate a document” feature.
Mr. Vazquez says he discovered the flaw at the beginning of the month, informed Google, who responded the very next day.
Google staff informed Mr. Vazquez that they didn’t consider this vulnerability a risk since it was hard to exploit and worked within a sandbox.
They also informed him the vulnerability was not eligible for its bug bounty program. Softpedia has contacted Mr. Vazquez for further clarifications on the attack’s capabilities.