August 15, 2012 · ClickJacking Google Bug Bounty VRP

Google Website Translator Clickjacking Vulnerability

Vulnerability Information

A Clickjacking vulnerability existed on Google Website Translator that allowed an attacker to add a translate editor by redressing the editor management page.

Vulnerability Details

Google Website Translator pages were lacking X-FRAME-OPTIONS HTTP header or frame-busting measures to prevent framing of the pages. So the editor management page could be redressed to 'click-jack' Google users.

Proof of Concept:

Now with frame opacity set to 0.5 you can clearly see the redressed page and all the background stuffs. The matchstick is actually a text area that contains attacker's email address which is selected by default,once the user drags the matchstick he will actually drag the email address into the invite email address area and when he will click the result he will click the redressed invite button.

Google fixed the vulnerability by adding X-FRAME-OPTIONS header which is set to DENY on all pages.