Tell HN: Immersive-translate plugin may expose you to XSS attacks

This post might not directly concern English-speaking users, but I know there are many users (at least many Chinese speaking users) browse Hacker News with immersive-translate plugin[1]. The plugin has https://news.ycombinator.com included in its default list of sites to translate.

I recently identified a potential XSS injection target. When users navigate to a specific piece of content using the plugin, malicious code could be executed by their browser. This allows the possibility of cookies being stolen or other malicious activities. I have reported in their issue tracker[2].

Example:

im a button

If you translate the above content using immersive-translate, you’ll see a popup. Moving your mouse over the translated content could trigger another popup.

Suggestions:

– For Immersive-Translate users: Until this issue is fixed, I recommend disabling the default translation of Hacker News content and only translating content that has been manually reviewed.
– For Hacker News admins: To mitigate this risk, you might consider adding a `Content-Security-Policy` header in the server responses or including a “ tag in the HTML “ section.

[1]: https://immersivetranslate.com/
[2]: https://github.com/immersive-translate/immersive-translate/issues/2022

Comments URL: https://news.ycombinator.com/item?id=41277644

Points: 1

# Comments: 0