The vulnerability allowed web pages to appear higher in results
Google has patched a flaw that could be manipulated to influence search results, bumping a website higher up on the list.
The bug, detailed here in a blog post, was reported by Tom Anthony who was paid a bounty of $1,337 for disclosing it.
In short, he was able to trick Google into believing a six-day old website domain he bought for $12 was endorsed by a legit company.
This bumped the website up to appear in the first page of results.
Anthony explained: “Google provides an open URL where you can ‘ping’ an XML sitemap which they will fetch and parse – this file can contain indexation directives.
“I discovered that for many sites it is possible to ping a sitemap that you (the attacker) are hosting in such a way that Google will trust the evil sitemap as belonging to the victim site.”
An open redirect takes the user to another URL, and XML sitemaps are a list of URLs that belong to one site.
The company has no idea a malicious actor is using their site to fool Google, as the XML sitemaps don’t show up at their end.
Google doesn’t list XML sitemap vulnerabilities in its bounty program, but made an exception once Anthony pointed out this flaw to them.
This is reportedly the first time Google has paid a bounty for the ability to influence search results.
Anthony added: “In terms of Black Hat SEO, this had a clear usage, and furthermore is the first example I’m aware of an outright exploit in the algorithm, rather than manipulating ranking factors.
“The severity of potential financial impact of the issue seems non-trivial – imagine the potential profit from targeting Tesco or similar (I had more tests to run to investigate this more but couldn’t without potentially causing damage).”
