A bug that anyone can easily exploit in Google makes it easy to kick out manipulated search results that look entirely real.
The search manipulation bug was documented by Wietze Beukema, a London-based security specialist, who warned that a malicious user could use this bug to generate misinformation.
By splicing together values from a Google search result’s “knowledge graph,” the cards that pop up in search results to supplement the search query with visuals and quick facts. Anything from countries, planets, tech news sites and more have cards that appear on the right-side of Google’s search results, displaying other nuggets of information at a glance.
In a blog post, Beukema explained that the short, shareable URL when entered into a Google search result could be chopped and added to the web address any other search query.
It also works if you search “Who is the US president?” You can just manipulate the result to read “Snoop Dogg.”
The manipulated search query doesn’t break HTTPS, so anyone can craft a link, send it in an email, tweet it out, or share it on Facebook — and the recipient, one assumes, would be none the wiser. But that can be a real problem in an age of mistrust of internet companies after misinformation campaigns by nation state actors.
Beukema warned that this search manipulation bug could be used to spread factually incorrect information, or even propaganda.
“Who is responsible for 9/11?” can be pointed to George Bush, a widely held conspiracy theory. “Where was Barack Obama born?” can be pointed to Kenya, another conspiracy theory largely propagated by his successor, Donald Trump, who later backtracked on the claim.
No wonder so many people think the election was rigged if they think they can click a button and have a search engine tell them who to vote for.
The bug is still active at the time of writing. In fact, it’s been known about for almost three years. Beukema simply brought the issue to light after first discovering the issue more than a year ago. But it’s already sparked interest from the hacker community. One developer, Lucas Miller, took just a few hours to build a Python script to automatically generate fake results based on search queries.
It’s a mystery why Google, despite claims of political bias (though no evidence to say it’s true), wouldn’t fix a basic weakness in its search results that would make the service far more trustworthy.
Google did not comment prior to publication. If that changes, we’ll update.
Published at Wed, 09 Jan 2019 23:12:02 +0000