The announcement appeared in small text on the Russian president’s website: “Let me speak from my heart: Edward Snowden is a Russian Citizen. Thanks to @homakov!”
The Twitter handle belongs to Egor Homakov, a security researcher with a penetration testing group called Sakurity, which does freelance consulting.
Homakov’s spoof message didn’t actually appear on Vladimir Putin’s website. Instead, Homakov found a trick that allowed him to modify content delivered to a user from Google Translate, which he describes on his blog.
Interestingly, Homakov and Google agree that his finding isn’t actually a security issue per se. “As the researcher implied at the end of his original blog post, this is really not a security vulnerability,” according to a statement from a Google spokeswoman.
When Google translates something, it returns the content in a hosted, separate sandboxed domain: “translate.googleusercontent.com.” It allows third-party scripts to run in that domain, which would allow, for example, Homakov to modify the content.
Google, which rewards security researchers for finding certain kinds of software flaws, advises that it doesn’t pay for cross-site scripting vulnerabilities in the “.googleusercontent.com” domain.
The company said it maintains a number of domains that use the same-origin policy, a complicated set of conditions intended to allow interactions between sites in the same domain but prevent meddling from other sources.
Still, Homakov’s trick is amusing, no less because Snowden, a former NSA contractor who has released batches of sensitive material documenting U.S. government surveillance efforts, is still marooned in Russia while he tries to secure asylum.
Homakov’s experiment also proves that users may want to be cautious when using Google Translate: If the content is nearly unbelievable, it might be best to find a native speaker to confirm the translation.