Any corrections are welcome at firstname.lastname@example.org.
The Google Translate content is served up from a subdomain of googleusercontent.com. This is a domain designated by Google for user-supplied content so that it can be rendered without affecting the safety of pages on google.com and elsewhere.
The demonstration here is that one page on googleusercontent.com can affect another page on googleusercontent.com. This is perfectly acceptable via the same origin policy.
It's intensely annoying to crawl political blogs for Australia, UK, New Zealand and US from my server in Germany and then have all the urls with .de when they go into my news site. As a problem the solution is trivial I suppose, but why do they do it in the first place?
Of course, that means that with a little bit of fiddling (change the domain name end, I think) you can read a censored post if you're in a problematic country. It's quite a good idea, actually.
Looking in the console it says:
Blocked opening 'http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=ht... in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.
So the attack doesn't seem to work in Chrome.
NB: Just tested on FF, works on that.
Also homakov, I had to edit the iframe width/height just to be able to see the link in the first place because google's putting all the login stuff at the top, I'd suggest setting the height to 300px instead of 30px. Are you running something which stops that showing in your browser?
the GUC Page 1 (having a link inside) is not sandboxed and located on homakov.blogspot.com. Since it calls window.open on click chrome must not block opening a popup. I'm pretty sure you have specific/strict settings?
>So the attack doesn't seem to work in Chrome.
It worked for me, for my friends, and for people who +ed the item. Let's figure out what went wrong
I made it 30px to hide "tooltips" on hover
This is what I'm seeing:
Google opens translated pages under translate.googleusercontent.com. Link is located on GUC Page 1 (now, perhaps, you can see iframe, but it's trivial to add some CSS to make it look more seamless). It opens with window.open this URL: http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=ht...
Now GUC Page 1 changes content of GUC Page 2 (translated page of kremlin.com). Using some DOM and frame tricks I ranted a bit about in the post.
actually PoC is fixed - http://homakov.blogspot.com.es/2013/07/googleusercontentcom-...
URL manipulation also resulted in more goodies.
Literally, it makes any google translate page untrustworthy.
1) chrome blocks straightforward window.open if no click happened
2) user doesn't really expect automatic popup. So it's not how phishing should behave
3) yes, it CAN work similarly on HN, in case you are Paul Graham (if you can change HTML on front page)