How did I earn $3133.70 from Google?
Video PoC XSS Google Translate (Proof of Concept)
Cross-Site Scripting ( XSS ) on Google's translate.google.com domain .
At 2 am with the winter weather in Hanoi, when everyone is asleep, I am still engrossed in my daily work, after finishing work, it is already 2:45 am.
Decided to "entertain" a bit and then go to sleep, but I have language problems when searching for movies. While translating the movie name from Vietnamese to English on translate.google.com, I accidentally discovered a problem that the " word suggestion " feature (in the main language Vietnamese ) of Google Translator has.
At this time, I tried F12 in the browser to open the DevTools tool and checked, I found that the HTML I inserted above was being executed.
Well, Google hasn't filtered and encoded the HTML tags in this feature yet. So I can exploit XSS here.
I tried changing the primary language to another but it didn't work, because the HTML tags are encoded and filtered out. This error appears when you select the main language is Vietnamese.
Continue with other HTML snippets to create a bulletin board to display the user's domain and session.
(The difficulty of this is to have a reasonable length and character for Translator to display "word suggestions").
And finally, I found the XSS like that:
<iframe onload="javascript:prompt(document.domain, document.cookie)" id="xss" role="xss">hello xss
But will Google accept this vulnerability?
If Google uses POST instead of GET to get suggested results, will it be deprecated? Because that code you have to send to the victim for it to execute, but if you send the victim that code, they will also execute it?Address URL displayed in the browser:
https://translate.google.com/?hl=en#view=home&op=translate&sl=en&tl=en&text= %3 Ciframe %20 onload= % 22 javascript:alert(document.domain) %22%20 id= %22 xss %22%20 role= %22 xss %22%3 Ehello %20 xss
At this time, I looked up the url address in the browser and noticed the parameters passed.
&sl= en => Main language
&tl= en => Language after translation
& text => Text
So I thought it would work, I just need to code the XSS executable and then pass the above TEXT parameter and send the link to the victim.
After having enough background about the bug and I submitted a report to Google.
But then received a response from Google that it was not a bug because the domain was in " sandbox domains " and they thought it was invalid, so they changed the status to " Won't Fix (Intended Behavior) ".
I'm quite sad at this point, but it's okay, I went back to read it again to find information about the domain name " sandbox ".
I would like to briefly talk about "sandbox domains" a bit.
Sandbox domains - Usually used to store all content including content containing viruses, malware, trojans ....and it does not affect other servers. It is isolated from the main server that contains the user's data. Hence it is safe.
But strangely, the domain name " translate.google.com " is not in that list, and I'm sure it's valid. I sent 2 replies to prove their mistake.
After 7 days since I sent 2 responses, I didn't see any more responses from them, so I continued to respond again, and as a result, they reviewed the status change for me and accepted it as a bug and met with the team to assess the level and offer the bounty for this bug.
Finally, I would like to thank some of you and some members of the " Bounty Hunting Community " group, during the process of sending feedback to prove this mistake and give me more motivation to prove it.
