
Ask HN: Is Google Chrome's autotranslate feature a huge vulnerability? - d3fault
First, let me say that I am not a professional of any kind. I&#x27;m actually just entering my first year of undergrad.<p>Anyway, let&#x27;s get to the point:<p>If someone were to use the auto translate feature to look at a foreign bank account (as an expat or something), couldn&#x27;t the server request to translate your page be intercepted and read by a malicious party? It seems like a much easier point of entry than something like a key logger or something. However, like I said, I&#x27;m not a professional, or even a semi-professional. I thought of this, quite literally, in the shower.
======
sonofblah
1) It's encrypted, but most of everything has a vulnerability somewhere

2) This is a great question, of the kind more people should regularly be
asking

3) Don't stop!

------
DonHopkins
There are a lot of strings of text that it would not make sense to translate
and not be wise to send to a remote translation service, like strings of
digits, blocks of base 64 encoded text like ssh keys, digits and letters
separated by punctuation like phone numbers and bank account numbers, etc.

Perhaps Google Translate should filter out non-word private tokens from the
original text (replacing them with opaque identifiers that aren't translated
but are left alone, and substituting the originals back into the translated
text).

(PS: Are you still in the shower, posting on one of those new-fangled
waterproof phones? Hopefully not a Google Glass!)

------
rahimnathwani
It might be fun for you try this yourself.

Connect two computers to the same network. On one, use some MITM proxy
software. On the other, set all the traffic to go via this proxy, either
transparently (via default gateway) or explicitly via proxy settings.

Then see if you can intercept the info being sent from your browser to Google
translate.

I'm not at a computer right now, but I guess that:

1\. The auto-translate feature uses https, so that the traffic between you and
Google is not available via network-level MITM.

2\. The page contents are not sent to Google at all, but only the URL

~~~
eat_veggies
You don't even need a proxy--just open up your dev tools and watch the
network.

1\. It does use HTTPS. It'd be insane if it didn't.

2\. Individual strings from the page get sent to the translate API:

[https://i.imgur.com/2nAlbp4.png](https://i.imgur.com/2nAlbp4.png)

------
kyleperik
End to end encryption seems to be less understood by many people, even some
professionals I know. HTTPS is completely secure, check this out, it's a fun
read: [https://en.m.wikipedia.org/wiki/Public-
key_cryptography](https://en.m.wikipedia.org/wiki/Public-key_cryptography)

The real question is perhaps, are we okay with Google having their eyes on
everything?

~~~
UncleMeat
Is that even the real question? If you are using chrome to visit your bank you
are already assuming that Google isn't behaving badly. Your threat model
changes very little when sending page contents to be translated.

~~~
kyleperik
You can track what comes and goes on your network, if chrome sends information
about random pages back snoop on, then I think that quite certainly would have
been whistleblown by now.

Sending a webpage ourselves directly to google is a completely different
story. We have no idea what goes on with your data behind their servers. But
we can monitor what goes on in our own machines.

Also, funny how we've come to the point that we're using the term threat model
to describe our relationship with the beloved Google.

------
kirykl
[https://www.chromium.org/developers/design-
documents/transla...](https://www.chromium.org/developers/design-
documents/translate)

------
orf
Google translate refuses to work on private pages. It's actually kind of
annoying, but yeah, anything past a login it refuses to do. At least for my
bank and anything bill related.

~~~
bckygldstn
As another data point, Google happily translates my bank account.

------
great_psy
It depends how Chrome is programmed to detect languages. The language
detection could be all done in the browser, and it would only send data to
google if you want to translate. The translation could be intercepted, but it
could also (hopefully) be encrypted.

To get a definite answer you would need to look at the source code and go from
there.

~~~
bzbbzjux
Or save yourself a ton of time and just capture the network traffic.

------
Imanari
Not directly answering your question but stil relevant. At a fairly big
company I worked at as a student I was able to circumvent the website blocker
of the company by just applying google translate to the site. Formatting and
images etc. were lost but it enabled me to browse reddit.

------
hluska
1.) I don't know, but that's fucking cool.

2.) You should follow rahimmathwani's advice and set up a man in the middle
attack. You'll learn a lot.

3.) Have I mentioned that is fucking cool???

Good work! This is the exact kind of question that everyone should ask.

PS - That is fucking cool!

------
tinus_hn
If you ask a person or a service to translate things that person can of course
see these things.

If your connection to that service is not secured others may be able to
intercept it. Chances are that it is though. Google Translate uses secure
connections.

