Links can be crafted to display spoofed content

A bug in Google search URLs could allow fraudulent results to appear as legit, a researcher has warned.

The vulnerability lies in the way that Google search engine displays its ‘Knowledge Graph’ – a feature that displays snippet of information above the results, usually summing up the query.

This information is pulled from different sites, for example Wikipedia, without showing the source name.

By adding a &kgmid parameter in the URL, and the code for a chosen Knowledge Graph card, a malicious actor could exploit the results to show a skewed version.

A blog post published recently by Wietze Beukema, cyber threat detection and response at UK company PricewaterhouseCoopers, shows how easy it is to craft the URL.

By adding the parameter and a chosen Knowledge Graph card to search results for The Rolling Stones, the researcher demonstrated how Beatles legend Paul McCartney’s card and image were shown first.

It seems innocent enough, but this bug could easily be exploited by those looking to spread propaganda or fake news online.

Just look to the example Beukema gives, which displays George W. Bush’s card in the results ‘Who was responsible for 9/11?’

This isn’t by any means a new revelation – hacking the Knowledge Graph to display distorted results is a trick that has been pulled for many years.

But, as this latest blog notes, this is a known issue that hasn’t been patched by Google, despite bug reports being submitted.

In fact, Beukema has claimed that Google closed his report as it wasn’t considered “serious enough” to be looked into.

Beukema wrote: “This issue isn’t completely new – I found out about this over a year ago and even then I wasn’t the only one aware of it. What is surprising though is that the problem still hasn’t been addressed by Google. The bug report I filed about a year ago was closed as it wasn’t considered a severe enough vulnerability.”

He added: “I disagree: in this day and age of fake news and alternative facts, it is irresponsible to have a ‘feature’ that allows people to fabricate false information on a platform trusted by many.”