security [UPDATE: Patched!] Your Fake News - Carefully crafted Google URLs allow custom search results.

[rcmaehl]

Update: (credit @selecadm) https://www.androidheadlines.com/2019/01/google-search-spoofing-bug.html

 

Quote

Google will finally be working to fix a bug in its search engine that allowed results to be spoofed and was first reported by Wietze Beukema in 2017. The biggest threat from queries that have been tampered with, however, might actually be most damaging to Google itself. Setting aside recent claims that Google might be biased in its search engine and similar sentiments that could be exacerbated by spoofed searches, the company has largely built its reputation on the trustworthy nature of its searches. The problem could eventually cause public trust in Google to diminish.

 

Source:

Wietze

Test Case

 

Summary:
By carefully crafting a google URL, you can make specific result cards appear for any question, creating shareable "fake news". Google says it won't fix.

Media:

 

Quotes/Excerpts:

Quote

A few years ago, when you entered a search query into Google, you would simply get a list of results. Now, you get all sorts of extra information. If you search for ‘UNICEF’, you’ll see a box next to the search results with some key facts. This feature is Knowledge Graph. Google brought Knowledge Graph to its search engine in 2012 as a means to instantly get information that’s relevant to your query. Unfortunately Knowledge Graph doesn’t tell you where it got the information from. In addition, the algorithm sometimes mixes up information when there are multiple matches. More features were introduced afterwards, such as Featured Snippets and built-in answers (such as ‘what is my ip address’, ‘what time is it in Bejing’, ‘how many ounces in a gallon’, etc.). These features are not part of Knowledge Graph, they work in a similar fashion. A side effect of all this is that people have effectively been trained to take information from these boxes that appear when googling. It’s convenient and quick. A closer examination of Knowledge Graph shows that you can attach a Knowledge Graph card to your Google Search. Following this link will redirect you back to google.com with the original search query. What’s different however are the parameters used... a &kgmid parameter. The unique identifier of the Knowledge Graph card shown on the page. This also means you can link up different pieces of information and give the impression they are related. Google also offers a way to view the Knowledge Graph card in isolation and omit the search results. This can be done by adding the &kponly parameter. These two things combined open the door to abuse: if, for example, your search query is a question, you can now pick a Knowledge Graph card that has your desired answer and only show this desired answer. More seriously, this technique could be used for spreading false information for political or ideological gain. The point is that this allows you to trick others into believing something is true. After all, it is a legitimate Google Search link and since we have been trained to trust the answers provided by Google, there must be some truth in it, right? The bug report I filed about a year ago was closed as it wasn’t considered a severe enough vulnerability. I disagree: in this day and age of fake news and alternative facts, it is irresponsible to have a ‘feature’ that allows people to fabricate false information on a platform trusted by many.

 

My Thoughts:
While this is great for creating funny results (see the Test case in sources). It's is semi serious that this can be abused to confuse and manipulate people who don't fact check or to re-enforce incorrect biases such as Who caused 9/11 and Where Barack Obama was born. Google is unfortunately a trusted source of information when it comes to the Knowledge graph results, and this should be patched. 

[Bouzoo]

2 minutes ago, rcmaehl said:

Google says it's won't fix.

Slight confusing typo there. 

[TacoSenpai]

Who is zodiac killer?

[rcmaehl]

1 minute ago, Bouzoo said:

Slight confusing typo there. 

Corrected

[rcmaehl]

1 minute ago, LordOTaco said:

Who is zodiac killer?

You mean this search? https://www.google.com/search?q=Who+is+the+zodaic+killer&kgmid=/m/07j6ty&kponly

[Ashley MLP Fangirl]

whati find amazing is those test searches work internationally. they will display results in dutch even though the URL will say www.google.com and not www.google.nl which is the URL for dutch google. 

full disclosure: this search result is not accurate. it is one of the test searches in the OP. 

[Haaselh0ff]

1 hour ago, rcmaehl said:

You mean this search? https://www.google.com/search?q=Who+is+the+zodaic+killer&kgmid=/m/07j6ty&kponly

This is truly the best possible user for this type of thing.

[Salv8 (sam)]

this shall become the next new best meme

[mr moose]

Who would have thought manipulating a search engines input would result in a specific output?

 

People do this everyday already by searching for the data they want, I.E "vaccines cause autism" rather than "do vaccines cause autism?".

 

[rcmaehl]

1 minute ago, mr moose said:

Who would have thought manipulating a search engines input would result in a specific output?

 

People do this everyday already by searching for the data they want, I.E "vaccines cause autism" rather than "do vaccines cause autism?".

 

It's a bit more complex than that
 

 

[mr moose]

1 hour ago, rcmaehl said:

It's a bit more complex than that
 

 

How is it more complicated? do the web pages that it returns answer the question or are they just irrelevant webpages seeded to insinuate an answer? I bet you if I click on the link of ted cruze that nothing in the wikipedia entry claims he is the zodiak killer.  It is just intentionally false search results.

[selecadm]

1 hour ago, mr moose said:

Who would have thought manipulating a search engines input would result in a specific output?

 

People do this everyday already by searching for the data they want, I.E "vaccines cause autism" rather than "do vaccines cause autism?".

 

What you described is called "confirmation bias".

 

9 minutes ago, mr moose said:

How is it more complicated? do the web pages that it returns answer the question or are they just irrelevant webpages seeded to insinuate an answer? I bet you if I click on the link of ted cruze that nothing in the wikipedia entry claims he is the zodiak killer.  It is just intentionally false search results.

And confirmation bias isn't technically false search results. After clicking on the result there is that exact claim you "asked". For example, I search "Bush did 9/11" and get 125000 results where it's written.

 

You confirmed that the issue described in this topic is that if you click on the link there in nothing that claims so.

[ZacoAttaco]

42 minutes ago, mr moose said:

How is it more complicated? do the web pages that it returns answer the question or are they just irrelevant webpages seeded to insinuate an answer? I bet you if I click on the link of ted cruze that nothing in the wikipedia entry claims he is the zodiak killer.  It is just intentionally false search results.

That's a good point, I've seen Google return strange results when someone has intentionally messed with the Wikipedia page for that person or thing. Google search cards seem to be tied closely to Wikipedia.

[mr moose]

43 minutes ago, ZacoAttaco said:

That's a good point, I've seen Google return strange results when someone has intentionally messed with the Wikipedia page for that person or thing. Google search cards seem to be tied closely to Wikipedia.

And more to the point, don't trust a google search result by itself, search again using what every search engine you want to ensure you haven't just been given a screen shot of what is basically an doctored search result.

 

This is more about how gullible people are rather than doctoring a google search to insinuate an issue.

[ZacoAttaco]

14 minutes ago, mr moose said:

And more to the point, don't trust a google search result by itself, search again using what every search engine you want to ensure you haven't just been given a screen shot of what is basically an doctored search result.

 

This is more about how gullible people are rather than doctoring a google search to insinuate an issue.

I agree, people have become over reliant on Google, they forget that Google is not an all-knowing entity but rather user submitted. Forgetting about SEO for a minute, anyone can make a website about anything and Google will serve that website snip as a possible answer to a user's query. This isn't an issue exclusive to Google, it's more of a user's over-dependence on Google you're right.

[Arika]

7 hours ago, rcmaehl said:

Google says it won't fix.

oh, they absolutely will when it starts being used in a way that they dont like

 

 

[Canada EH]

7 hours ago, rcmaehl said:

google

Google already does selective promotion of what they want, in the last election it was done to a great degree.

[Guest]

8 hours ago, rcmaehl said:

You mean this search? https://www.google.com/search?q=Who+is+the+zodaic+killer&kgmid=/m/07j6ty&kponly

Roses are red

Voilets are blue

Michael Jackson’s best song was Thriller

[rcmaehl]

4 hours ago, mr moose said:

How is it more complicated? do the web pages that it returns answer the question or are they just irrelevant webpages seeded to insinuate an answer? I bet you if I click on the link of ted cruze that nothing in the wikipedia entry claims he is the zodiak killer.  It is just intentionally false search results.

How many people click the actual link though? When was the last time you needed to click the actual link. The issue is with it being used less obviously and being used to propagate false information

[mr moose]

Just now, rcmaehl said:

How many people click the actual link though? When was the last time you needed to click the actual link. The issue is with it being used less obviously and being used to propagate false information

I always check the links, I always check what the search criteria is.  

 

Lets be realistic here, the only way this can be used is if someone sends you a specific URL,  no one is going to setup their own spoofed URL then fool themselves by it.   Which means you are already going to be ready to check the argument and supporting documentation, if all you need is a search result to be convinced then you have bigger issues.

[rcmaehl]

1 minute ago, mr moose said:

I always check the links, I always check what the search criteria is.  

I can assure you most people don't

 

2 minutes ago, mr moose said:

Lets be realistic here, the only way this can be used is if someone sends you a specific URL. if all you need is a search result to be convinced then you have bigger issues.

Don't need to tell me that. Need to tell society. All my examples are obvious fakes, minor adjustments can slowly push a certain viewpoint.

[mr moose]

2 hours ago, rcmaehl said:

I can assure you most people don't

 

Don't need to tell me that. Need to tell society. All my examples are obvious fakes, minor adjustments can slowly push a certain viewpoint.

https://en.wikipedia.org/wiki/Third-person_effect

 

this is real.

 

[Rune]

https://www.google.com/search?q=Best+overwatch+character&kgmid=/g/11c6dxrml2&kponly

 

I'll take it.

[selecadm]

Fixed.

 

https://www.androidheadlines.com/2019/01/google-search-spoofing-bug.html

[LinusOnLine]

On 1/9/2019 at 6:35 PM, rcmaehl said:

Google is unfortunately a trusted source of information when it comes to the Knowledge graph results, and this should be patched. 

Trusted? By who?