Thursday, December 24, 2009
Google Translate - Google User Content - File Uploading Cross - XSS and Design Stringency - A Talk
Google translate services provide an efficient way of translating content. The web is a playground for attackers and everyday new bug or flaw is detected in the web services provided by major giants. An interesting concept is to dissect the web based design of websites handling user generated content. On discussion with Google about this problem , the issues is treated as design by default.
The problem (or web bug) persists in the file uploading feature on Google translate website Malicious content such as XSS payload , Iframe, etc. gets executed and rendered into the context of the running website. On discussion with Google it was stated that:
There are two features provided by Google translate service which are mentioned below
1. Translation through file uploading.
2. Direct translation of content online.
Question: Why users consider translation services as secure? What If somebody is doing some monetary transaction or some other issues like that?
The question and answer in itself is hard to answer. But one thing is sure for any critical work, the translate services should not be used.
Let's have a look at the attack point:
Step 1: Uploading a malicious content file through Google Translate service
Step 2: Executing Content
Looking at the different domains
Both the google.com and googleusercontent.com serves the same google search functionality. The specific user content server can be used for differential purposes because content on it is not trusted.
Looking for the different perspective.It would be great if a small message is being displayed on the Google translate service bar as mentioned below
"Google does not assure the integrity of the source of the content"
After considering this as a notification, I checked the Bing translation which already have applied this notification message. Great.
May be its not a solution but a good step in visualizing your concern about content is a better design practice.
Note: a previously reported phishing vulnerability in Google translation was patched and a check was introduced by Google on the source and destination translation languages.