Google Search Bug Allows People to Hack Results to Spread Misinformation
An innocuous-looking Google bug has been revealed that has the potential for spreading misinformation. The bug was documented by a London-based researcher, who discovered that Google’s Knowledge Panel can be tricked to show up with unrelated queries, thus allowing a malicious actor to use them for disseminating false information or propaganda. With the world already reeling with the impact of the Russian manipulation of the US presidential election using Facebook, any potential to trick Google searches has wide-ranging implications.
According to a blog post by Wietze Beukema, who works for the Cyber Threat Detection & Response team at PwC, anyone can just add one parameter to a Google Search URL and a specific Knowledge Panel will appear next to the search results, even though it is not being intentionally shown by Google.
Google had introduced the Knowledge Graph with much fanfare in 2012 to help its users get a complete picture of what they were looking for without needing to click on the search results. The Knowledge Panel, which was powered by the Knowledge Graph, would appear on the right or top of the search results, depending on which device you were using and offer information about what you were searching for. It is limited to certain, yet expansive, set of queries.
The company also included a share button in the Knowledge Panel to make it easier for the people to share them with others. Now, this sharing functionality has come back to haunt the company.
Essentially, when you click on the share button in the Knowledge Panel, Google generates a URL, which includes the necessary parameters – kgmid and kponly – to make sure the panel will be displayed when anyone click on the URL. Now, if you pick one of these parameters from an existing Knowledge Panel sharing link and paste them in another query’s search URL, you will get the Knowledge Panel from the previous query in the new search results, even though both have no relation. The kgmid parameter can adds a Knowledge Panel to right or top of the search results, whereas the kponly parameter completely removes the search results from the first page and just displays the Knowledge Panel.
The existence of this bug effectively allows anyone with a Knowledge Panel ID to spoof the search results and share them on the social media or other platforms to spread misinformation. Here is an example of what can be achieved with the bug – Who is responsible for 9/11.
A Google spokesperson told TechCrunch that the company was working on a fix. At the time of publication, it seems Google has removed the share button from Knowledge Panels, but if you have the necessary ID, you can still spoof the search results. It is unclear how Google plans to completely fix the issue.