A Clickjacking vulnerability existed on Google Website Translator that allowed an attacker to add a translate editor by redressing the editor management page.
Google Website Translator pages were lacking
X-FRAME-OPTIONS HTTP header or frame-busting measures to prevent framing of the pages. So the editor management page could be redressed to ‘click-jack’ Google users.
Proof of Concept:
Now with frame opacity set to 0.5 you can clearly see the redressed page and all the background stuffs. The matchstick is actually a text area that contains attacker’s email address which is selected by default,once the user drags the matchstick he will actually drag the email address into the invite email address area and when he will click the result he will click the redressed invite button.
Google fixed the vulnerability by adding
X-FRAME-OPTIONS header which is set to DENY on all pages.
- August 5 - Vulnerability discovered and reported to Google Security Team
- August 7 - Reply from Google Security Team
- August 15 - Vulnerability got fixed and I was credited on the Google Security Hall of Fame (Honourable Mention)