Friday, January 01, 2010
Yahoo Babelfish - SYSTRAN Base - Is that a Culprit? Well Let's See The WorkOut.
The frame injection flaw discussed previously has a lot of impacts and can be exploited in the wild in a diversified manner. Primarily, the two basic checks are missing in the applied online translation strategy opted by the Yahoo Babelfish and Systran. The Systran is the base software used by yahoo for translating contents online. The application is desktop based. On scrutinizing the Systran service, the design looks similar that is used by the Yahoo Babelfish.
For a good design implementation in translation server, one should consider following factors:
1. Privacy statement or content verification notification should be mentioned in the base message bar.
2. The translation source and destination should be mentioned.
3. Its a good solution to randomize the source URL and appends a differential URLID parameter that cannot be guessed.
The third solution is quite good because direct reference cannot be made and source check is maintained when a malicious translation request is issued.
Both these adequate steps are missing in Yahoo Babelfish and Systran. Microsoft, in this case has a upper hand by deploying these notifications. At least a user is always aware of fact that the content should not be considered as trusted. The prototype looks like as presented below:
While loading the Yahoomail URL for translation, the server gives the error as shown below:
It is noticed that Systran online translation engine fetches the URL pattern as mentioned below:
The first two notifications as discussed above are not followed. But yes, to some extent he URL randomization point is applied. I am not saying that it is an appropriate solution but, if every time a new ID is being provided, it can be considered as a good solution. Of course it is.