Ask HN: Is Google Chrome's autotranslate feature a huge vulnerability?
First, let me say that I am not a professional of any kind. I'm actually just entering my first year of undergrad.
Anyway, let's get to the point:
If someone were to use the auto translate feature to look at a foreign bank account (as an expat or something), couldn't the server request to translate your page be intercepted and read by a malicious party? It seems like a much easier point of entry than something like a key logger or something. However, like I said, I'm not a professional, or even a semi-professional. I thought of this, quite literally, in the shower.
17 comments
[ 3.5 ms ] story [ 48.7 ms ] threadConnect two computers to the same network. On one, use some MITM proxy software. On the other, set all the traffic to go via this proxy, either transparently (via default gateway) or explicitly via proxy settings.
Then see if you can intercept the info being sent from your browser to Google translate.
I'm not at a computer right now, but I guess that:
1. The auto-translate feature uses https, so that the traffic between you and Google is not available via network-level MITM.
2. The page contents are not sent to Google at all, but only the URL
1. It does use HTTPS. It'd be insane if it didn't.
2. Individual strings from the page get sent to the translate API:
https://i.imgur.com/2nAlbp4.png
To get a definite answer you would need to look at the source code and go from there.
Perhaps Google Translate should filter out non-word private tokens from the original text (replacing them with opaque identifiers that aren't translated but are left alone, and substituting the originals back into the translated text).
(PS: Are you still in the shower, posting on one of those new-fangled waterproof phones? Hopefully not a Google Glass!)
If your connection to that service is not secured others may be able to intercept it. Chances are that it is though. Google Translate uses secure connections.
2) This is a great question, of the kind more people should regularly be asking
3) Don't stop!
The real question is perhaps, are we okay with Google having their eyes on everything?
Sending a webpage ourselves directly to google is a completely different story. We have no idea what goes on with your data behind their servers. But we can monitor what goes on in our own machines.
Also, funny how we've come to the point that we're using the term threat model to describe our relationship with the beloved Google.
2.) You should follow rahimmathwani's advice and set up a man in the middle attack. You'll learn a lot.
3.) Have I mentioned that is fucking cool???
Good work! This is the exact kind of question that everyone should ask.
PS - That is fucking cool!