Googlebot XSS attacks could allow search engine manipulation

PageRank pwned?

UPDATED A cross-site scripting (XSS) attack on Googlebot could be abused to run search engine manipulation attacks, research has found.

Researcher Tom Anthony discovered that it’s possible to manipulate Googlebot into executing JavaScript on other people’s websites.

Google will index the resulting changes made and this, in turn, might be used to inflate a site’s PageRank and therefore its prominence in search engine results.

Anthony first reported his findings to Google last November and, after a fair amount of back and forth, Google told the researcher it had no immediate plans to fix the issue.

The ad broking giant may have reached this decision because it was preparing to release a new build of Googlebot, Anthony speculates.

Googlebot – Google’s web crawler software – is based on Google Chrome version 41, and therefore lacks XSS Auditor, a technology later versions of Chrome use to protect the user from XSS attacks.

This – combined with the prevalence of XSS weaknesses across the web – open the door to mischief, Anthony explains.

“Since Googlebot executes JavaScript, this allows an attacker to craft XSS URLs that can manipulate the content of victim sites,” Anthony writes in a technical blog post.

“This manipulation can include injecting links, which Googlebot will follow to crawl the destination site. This presumably manipulates PageRank, but I’ve not tested that for fear of impacting real sites rankings.”

Websites can defend against potential abuse by fixing any and all XSS bugs, a far from straightforward task.

At minimum, site admins would be well advised to check server logs and search for URLs that have terms such as ‘script’ in them, indicating a possible XSS attempt.

Anthony only went public with his findings six months after his original report.

Although his reasoning seems sound, he’s only partially tested it using Google’s testing tools against Google’s Website Rendering Service and has not proven it can be used to manipulate PageRank.

As things stand, there’s no solid proof that the potential exploitation technique works, much yet that it’s being abused by black hat SEO types.

Nonetheless, there’s a concern that malfeasance might be possible.

In a statement in response to questions from The Daily Swig, Google said it had found no evidence of malfeasance while stressing that it continued to be on the look about for potential abuse.

“We appreciate the researcher bringing this issue to our attention. We have investigated and have found no evidence that this is being abused, and we continue to remain vigilant to protect our systems and make improvements.”

We understand Google is busy at work working on as yet undisclosed further measures to protect webmasters and users against XSS. Webmasters should continue to protect their sites against cross-site scripting attacks.

This article has been updated to include comments from Google.