• Google Website Translator Clickjacking Vulnerability

    Summary

    A Clickjacking vulnerability existed on Google Website Translator that allowed an attacker to add a translate editor by redressing the editor management page.

    Details

    Google Website Translator pages (a total of 5 pages) were lacking X-FRAME-OPTIONS HTTP headerfield or frame-busting measures to prevent framing of the pages. So the editor management page could be redressed to 'click-jack' Google users.

    Code:
    Vulnerable Editor Management Page : http://translate.google.com/manager/editors

    Proof of Concept



    The redressed editor page with frame opacity set to 0 so it is invisible to the user. As soon as the user drags the matchstick into the cigarette and hits the result button, a new editor will be added to users' Website Translator.



    With frame opacity set to 0.5 you can clearly see the redressed page and all the background stuffs. The matchstick is actually a text area that contains attacker's email address which is selected by default (JavaScript stuff),once the user drags the matchstick he will actually drag the email address into the invite email address area and when he will click the result, he will actually click the redressed invite button.



    Google addressed the vulnerability by adding X-FRAME-OPTIONS header field which is set to DENY on all pages



    Special Thanks to AMol NAik and Aditya Gupta
    This article was originally published in forum thread: Google Website Translator Clickjacking Vulnerability started by prakhar View original post
  • G4H Facebook

  • G4H Twitter