Crazy idea but it's bugging me all day:
is it possible for attacker to inject custom locale files so that user will see more innocent question, instead of original locale messages in targeted app?
This could be simply a joke made on a user - swapping "OK" and "Cancel" or "Save" and "Delete" translations in locale files, but it also could lead into tricking user to click something he wouldn't normally click and I didn't found anything in the docs.
If an application allows to load locale files from $HOME, then attacker doesn't need to have root access, bug in the browser allowing file system write access will allow attacker to inject evil locale files for sudo fronted or other security related app, so when the attacker wants to gain access to something user is confused and clicks "Allow" instead of "Deny".
Are we protected from translation injection attacks?
--
Łukasz Mierzwa