Translation — Finding data within indexed translations
There are so many ways to communicate with people now, but just because we have the capability to do so with emails and phones for example, there is a lot more to think about like the thousands of spoken languages around the world.
This is where tools like Google Translate come in. You may have heard of the popular ones from Google, Bing, and Yandex for example, but there are many others out there that have their differences.
Google Translate allows you to select two languages. The first language is what you currently have and want to translate into another language. The second is the language you want to translate the text into. For example, below I am translating the words “open source intelligence” from English to Portuguese. It does this automatically as I type it in which makes it a lot quicker and more simple to use.
I recently came across another translation site that works a bit differently. It is called ‘cevirsozluk’. At first you only see one box to type into. As you type, a translation does appear below the box, but you can see we also have a “Translate it now” button. I am not sure if they have just updated their site to translate automatically and haven’t removed the button yet, but they both work the same way so it isn’t anything to worry about.
You should notice on the bottom of the page that it shows recent translations that have been searched by other users. So what? Who cares if you can see that someone wants to find out how to say “cake” in French? It becomes more serious when users who don’t know that these searches are being indexed post confidential or personal information.
Using advanced Google searches or “Google dorks”, we can find all indexed results from this translation website. As of 23/08/2019 it says there are about 2,170,000 results. When I was looking at this just yesterday, there was much less than 2 million, so it is rapidly increasing.
Now the possibilities are endless here. You will find people translating single words, basic phrases, but I am finding that a lot of interesting data is coming from people translating their emails. You can add keywords to the advanced search above. I tried keywords like “credit card”, “@gmail.com”. “confirmation”, and more.
To kick things off, the image above shows someone translating an email they received containing credit card details. It has the full card number, security code (CVV), expiration date, card type, and even the ID to their account. This shows how severe it can be when people don’t realise that these translations are being indexed.
Another email translation included a successful login alert. This is very common now where sites will alert you to logins from new devices or locations. This one is from Bittrex which allows you to buy and sell crypto currency. It provides an IP address for the person who logged in. This could be someone who has hacked into their account or could also be the user themselves who have logged in, got the email, translated it which has now leaked their own IP address.
The last example I will show is one not from an email, but one copied in from a website. It appears to be after they have signed up for an account and it says it has sent a confirmation code to their mobile phone and it reveals the full phone number as well.
These are just some of the many examples I found with personal information in them, some had transaction ID’s for bank payments, PayPal transactions, and more.
There are always new services coming and going. Most are extremely useful but people aren’t always taking the time to first learn how to properly use them and what data they could be revealing about you.
Very recently, a company called Cyjax revealed their research into malware sandboxes showing how people blindly trust them to scan confidential files, while lots of those services actually index those for everyone to see. You can read more about that here:
I would encourage everyone to be careful with what they upload to online services, whether that be a translation site, malware scanners, or anything else for that matter.
