https://github.com/ljmf00/google-translate-exploit

Google Translate Translation Exploit
https://github.com/ljmf00/google-translate-exploit

exploit exploitation google google-translate google-translate-api poc proof-of-concept

Last synced: about 2 months ago
JSON representation

Google Translate Translation Exploit

• Host: GitHub
• URL: https://github.com/ljmf00/google-translate-exploit
• Owner: ljmf00
• Created: 2019-03-01T00:47:35.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2019-03-04T09:37:29.000Z (almost 6 years ago)
• Last Synced: 2024-10-28T14:35:00.738Z (3 months ago)
• Topics: exploit, exploitation, google, google-translate, google-translate-api, poc, proof-of-concept
• Homepage:
• Size: 50.8 KB
• Stars: 11
• Watchers: 4
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# Google Translate - Translation Exploit

Vulnerabilities in translation algorithm that leaks some weird data.

----------

![screenshot](screenshot.png)

## Description

Basically this exploit breaks Google Translate service (Cloud Translation API too) using `por`, (`by` in english) word with an `id` (number typed) and a few keywords like `people`, `downloads`, `posts`, `message`, etc...

This suspected to be a Query/[Code Injection](https://en.wikipedia.org/wiki/Code_injection) exploit that interacts, apparently, with Google Maps, Youtube, Blogger, Google Play,... databases that leaks non-indexed information (e.g. ["csp03607292"](https://www.google.pt/search?q=%22csp03607292%22) ) by the search engines, so it could be internal information.

## Some results

```

More Info Stock Photo Information Photo ID: csp03607292

```

```

downloads and downloads for Android applications and games, and get the latest updates and corrections by ANDROID android.permission.INTERNET android.permission.ACCESS_NETWORK_STATE android.permission.INTERNET android.permission.ACCESS_NETWORK_STATE android.permission.WRITE_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE android.permission.WRITE_EXTERNAL_STORAGE

```

```

3 Downloads,,,,,,,,,,,,,,,,,,,,, by bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

```

### On Cloud Translation API

This also works on [Google Cloud Translation API](https://cloud.google.com/translate/).

Request: `https://translation.googleapis.com/language/translate/v2/?q=por%2011141566661212131314689999312345797365%20downloads&source=pt&target=en&key=YOUR_API_KEY_HERE`

```json

{

  "data": {

    "translations": [

      {

        "translatedText": "More tracks from this album"

      }

    ]

  }

}

```

## Example of reproduction

1. Open https://translate.google.com/

2. Choose Portuguese as the source language and other language for the translation language.

3. Try to translate `por 3232312231236872122321344 message`.

4. Check out your weird translation! (you can change the number to change the database query)

### Advanced queries

This could be scalable with `AND` keywords, `;`, middle text on the number or even negative numbers at the end afects the result.

Examples:

- `por 11141566661212131314689999312345797365 downloads AND por 11141566661212131314689999312345797365 downloadspor 11141566661212131314689999312345797365 -23467`

- `por 11141566661212131314689999312345797365 downloads AND; por 111415666612345212131314asdf689999312345797365 downloads -234672345234523452345`

- `por 111415666612345212131314asdf689999312345797365 downloads -234672345234523452345`

- `se 1890743402834712390487 posts' AND par 1890743402834712390487 posts' GOTO por 1890743402834712390487 posts'`

- `;DROP por 1890743402834712390487 posts`

- `FROM por 1890743402834712390487 posts`

## Keyword usage

### At the beginning

- `por`

- `by`

- `se`

- `par`

### Middle info

- signed/unsigned integers

- non spaced text with digits at the beginning and end

### Separators

- `AND`

- `;`

- `'`

- `OR`

- `DROP`

- `FETCH`

- `GOTO`

- `TO`

- `XOR`

- `FROM`

- `ROM`

- `TOP`

(Work with a lot of SQL keywords, more [here](https://www.w3schools.com/sql/sql_ref_keywords.asp))

### At the end

- `downlaods`

- `pessoas`

- `posts`

- `message`

## Formal Report

At this point, I got no official contact from Google. I already reported this issue on Google Issue Tracker (`#119504713` on `Tue, 13 Nov 2018, 20:27`) but the issue was marked as `Intended Behavior`. A new issue was reported on `Sun, 3 Mar 2019, 22:34` with more clear and new info `#127179818` but unfortunately was also marked as `Intended Behavior` (now with a human message).

> Hi,

> 

> Thanks for report! It seems like, while it might be surprising, this is actually working as intended and is a feature of the product. This particular bug looks like that the translate ML model is producing a garbage data (possibly the inputs to it were not validated enough). It looks security-relevant, but it's just a coincidence here. 

>

> That said - if you think we misunderstood your report, and you see a well defined security risk, please let us know what we missed.