Google Search Engine Manipulation

 
Researcher Tom Anthony discovered a supercritical Google search engine vulnerability that could affect search results. The company “fixed” the vulnerability for half a year and paid only $ 1337 for it. The

brief essence of the vulnerability is as follows: as part of ongoing research, the author recently discovered a problem with Google that allows an attacker to send an XML map of a Google site for a site for which he failed authentication . Since these files may contain indexing directives, such as hreflang , this allows an attacker to use these directives to help their own sites rank in Google search results.

Google allows you to submit an XML sitemapto help locate URLs to crawl, but it can also be used for the hreflang directive, in order to identify other international versions of the same page (for example, “hey google, this is an american page, but I have a page in German, this URL ... "). It is not known exactly how Google uses these directives (like everything related to Google search algorithms), but it seems that hreflang allows a single URL to" borrow "the ranking and trust of links from a single URL and use it to rank another url (i.e. b most people refer to the American version of .com, and therefore the German version can “borrow” a trust for ranking on Google.de).

According to the documentation, submission of an XML file for Google can be done through the Google Search Console, robots.txt or a specialized “ping” URL.

You can add new XML sitemaps via the ping mechanism, with Googlebot typically retrieving the file within 10-15 seconds after the ping. It’s important to note that Google also mentions a couple of times on the page that if you submit a Sitemap via the ping mechanism, it won’t appear inside your Search Console .



The practical use of the vulnerability is associated with the use of a redirect mechanism, which is quite common in modern web applications. An attacker can use it as a direct redirect in the context of different domains (if it is allowed):



or mechanisms for bypassing validation, for example, using the structure of subdomains that repeat the URL of the attacked site (for example, the retailer Tesco.com - which earns more than 50 billion pounds, with more than 1 billion pounds sterling through its website):



“Ping” service followed the full redirect path and validated the xml file for the first URL (but actually located on a different domain):



As a result of the experiment, the researcher received traffic to the “fake” domain, without a single backlink for 48 hours:



In addition, a new ca it began to appear on the first page of Google’s issuance of highly competitive requests (again, without a single backlink to a new site):



Moreover, after these manipulations, the connection of websites began to be traced in the Google Search Console:

---

Timeline:

• September 23, 2017 - initial bug report.
• September 25, 2017 - Google's answer - learning the error.
• October 2, 2017 - sending details.
• October 9 - November 6 - some status updates.
• November 6, 2017 - Google continues to investigate the security issue.
• November 6, 2017 - author's adjustment related to following redirects for pinged sitemaps.
• January 3, 2018 - status update.
• January 15, 2018 - Google’s response from until all factors are identified, given the legitimate use - they ask to wait for an answer.
• February 15, 2018 - Google is exposed.
• March 6, 2018 - Google announces payment of a fee of $ 1,337.
• On March 6, 2018, the author requests that the details of the vulnerability be published in the public domain.
• March 12, 2018 - Google asks to wait, because correction has not yet been completed.
• March 25, 2018 - Google confirmed the publication of the details of the vulnerability in the public domain.