{"id":15589874,"url":"https://github.com/ljmf00/google-translate-exploit","last_synced_at":"2026-01-29T06:33:41.104Z","repository":{"id":70394007,"uuid":"173210018","full_name":"ljmf00/google-translate-exploit","owner":"ljmf00","description":"Google Translate Translation Exploit","archived":false,"fork":false,"pushed_at":"2019-03-04T09:37:29.000Z","size":52,"stargazers_count":11,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-06-08T03:27:09.496Z","etag":null,"topics":["exploit","exploitation","google","google-translate","google-translate-api","poc","proof-of-concept"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ljmf00.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-01T00:47:35.000Z","updated_at":"2021-04-18T04:43:27.000Z","dependencies_parsed_at":"2023-02-24T11:45:19.588Z","dependency_job_id":null,"html_url":"https://github.com/ljmf00/google-translate-exploit","commit_stats":{"total_commits":22,"total_committers":1,"mean_commits":22.0,"dds":0.0,"last_synced_commit":"a6e34fb5c88a4dbd2cee8eebfb1fe77ff656ad2b"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ljmf00/google-translate-exploit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ljmf00%2Fgoogle-translate-exploit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ljmf00%2Fgoogle-translate-exploit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ljmf00%2Fgoogle-translate-exploit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ljmf00%2Fgoogle-translate-exploit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ljmf00","download_url":"https://codeload.github.com/ljmf00/google-translate-exploit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ljmf00%2Fgoogle-translate-exploit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28867104,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-29T05:56:06.453Z","status":"ssl_error","status_checked_at":"2026-01-29T05:55:57.668Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","exploitation","google","google-translate","google-translate-api","poc","proof-of-concept"],"created_at":"2024-10-02T23:11:34.871Z","updated_at":"2026-01-29T06:33:41.090Z","avatar_url":"https://github.com/ljmf00.png","language":null,"readme":"# Google Translate - Translation Exploit\nVulnerabilities in translation algorithm that leaks some weird data.\n\n----------\n\n![screenshot](screenshot.png)\n\n## Description\nBasically this exploit breaks Google Translate service (Cloud Translation API too) using `por`, (`by` in english) word with an `id` (number typed) and a few keywords like `people`, `downloads`, `posts`, `message`, etc...\n\nThis suspected to be a Query/[Code Injection](https://en.wikipedia.org/wiki/Code_injection) exploit that interacts, apparently, with Google Maps, Youtube, Blogger, Google Play,... databases that leaks non-indexed information (e.g. [\"csp03607292\"](https://www.google.pt/search?q=%22csp03607292%22) ) by the search engines, so it could be internal information.\n\n## Some results\n```\nMore Info Stock Photo Information Photo ID: csp03607292\n```\n```\ndownloads and downloads for Android applications and games, and get the latest updates and corrections by ANDROID android.permission.INTERNET android.permission.ACCESS_NETWORK_STATE android.permission.INTERNET android.permission.ACCESS_NETWORK_STATE android.permission.WRITE_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE\n```\n```\n3 Downloads,,,,,,,,,,,,,,,,,,,,, by bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\n```\n\n### On Cloud Translation API\nThis also works on [Google Cloud Translation API](https://cloud.google.com/translate/).\n\nRequest: `https://translation.googleapis.com/language/translate/v2/?q=por%2011141566661212131314689999312345797365%20downloads\u0026source=pt\u0026target=en\u0026key=YOUR_API_KEY_HERE`\n```json\n{\n  \"data\": {\n    \"translations\": [\n      {\n        \"translatedText\": \"More tracks from this album\"\n      }\n    ]\n  }\n}\n```\n\n## Example of reproduction\n1. Open https://translate.google.com/\n2. Choose Portuguese as the source language and other language for the translation language.\n3. Try to translate `por 3232312231236872122321344 message`.\n4. Check out your weird translation! (you can change the number to change the database query)\n\n### Advanced queries\nThis could be scalable with `AND` keywords, `;`, middle text on the number or even negative numbers at the end afects the result.\nExamples:\n- `por 11141566661212131314689999312345797365 downloads AND por 11141566661212131314689999312345797365 downloadspor 11141566661212131314689999312345797365 -23467`\n- `por 11141566661212131314689999312345797365 downloads AND; por 111415666612345212131314asdf689999312345797365 downloads -234672345234523452345`\n- `por 111415666612345212131314asdf689999312345797365 downloads -234672345234523452345`\n- `se 1890743402834712390487 posts' AND par 1890743402834712390487 posts' GOTO por 1890743402834712390487 posts'`\n- `;DROP por 1890743402834712390487 posts`\n- `FROM por 1890743402834712390487 posts`\n\n## Keyword usage\n### At the beginning\n- `por`\n- `by`\n- `se`\n- `par`\n\n### Middle info\n- signed/unsigned integers\n- non spaced text with digits at the beginning and end\n\n### Separators\n- `AND`\n- `;`\n- `'`\n- `OR`\n- `DROP`\n- `FETCH`\n- `GOTO`\n- `TO`\n- `XOR`\n- `FROM`\n- `ROM`\n- `TOP`\n\n(Work with a lot of SQL keywords, more [here](https://www.w3schools.com/sql/sql_ref_keywords.asp))\n\n### At the end\n- `downlaods`\n- `pessoas`\n- `posts`\n- `message`\n\n## Formal Report\nAt this point, I got no official contact from Google. I already reported this issue on Google Issue Tracker (`#119504713` on `Tue, 13 Nov 2018, 20:27`) but the issue was marked as `Intended Behavior`. A new issue was reported on `Sun, 3 Mar 2019, 22:34` with more clear and new info `#127179818` but unfortunately was also marked as `Intended Behavior` (now with a human message).\n\n\u003e Hi,\n\u003e \n\u003e Thanks for report! It seems like, while it might be surprising, this is actually working as intended and is a feature of the product. This particular bug looks like that the translate ML model is producing a garbage data (possibly the inputs to it were not validated enough). It looks security-relevant, but it's just a coincidence here. \n\u003e\n\u003e That said - if you think we misunderstood your report, and you see a well defined security risk, please let us know what we missed.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fljmf00%2Fgoogle-translate-exploit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fljmf00%2Fgoogle-translate-exploit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fljmf00%2Fgoogle-translate-exploit/lists"}