Google search engine spoofing
Information security expert Wietze Beukema discovered a fairly simple logical vulnerability in the formation of Google search results, which allows to manipulate the results of the issue. Despite the simplicity of the vulnerability, the consequences of its use can be quite serious.
Simple addition of parameters in uri allows you to replace the so-called. Knowledge Graph in the formation of search results on request.
Knowledge Graph is a semantic technology and knowledge base used by Google to improve the quality of its search engine with semantic search information collected from various sources. The knowledge graph provides structured and detailed information about the topic in addition to a list of links to other sites.
The goal is for users to use this information to solve their requests without having to go to other sites and collect information on their own.
When forming a graph, you can share its results in the form of a short-URL, which contains the kgmid parameter, which is responsible for the display of the Knowledge Graph, as well as the kponly parameter, which is responsible for the priority of the Knowledge Graph.
After switching to the short-URL, the link is transformed, and the required parameter kgmid can be obtained:
Further, the received parameter can be used to form a fake issue:
To disguise uri, you can use goo.gl: https://goo.gl/5FK7Na
These manipulations can be used by attackers to create false information, fake news, stuffing, etc.
UPD: 01/11/2019 The vulnerability is closed .