A simple bug makes it easy to spoof Google search results into spreading misinformation

A bug that anyone can easily exploit in Google makes it easy to kick out manipulated search results that look entirely real.

The search manipulation bug was documented by Wietze Beukema, a London-based security specialist, who warned that a malicious user could use this bug to generate misinformation.

This is done by splicing together values from a Google search result’s “knowledge graph,” the cards that pop up in search results to supplement the search query with visuals and quick facts. Anything from countries, planets, tech news sites and more have cards that appear on the right-side of Google’s search results, displaying other nuggets of information at a glance.

In a blog post, Beukema explained that the short, shareable URL when entered into a Google search result could be chopped and added to the web address of any other search query.

So, when you’d search: “What is the capital of Britain,” you’d expect London to return. Actually, you can make it any value — such as Mars.

It also works if you search “Who is the US president?” You can just manipulate the result to read “Snoop Dogg.”

A bug makes it easy to put the contents of a knowledge card into a search result. (Image: TechCrunch)The manipulated search query doesn’t break HTTPS, so anyone can craft a link, send it in an email, tweet it out or share it on Facebook — and the recipient, one assumes, would be none the wiser. But that can be a real problem in an age of mistrust of internet companies after misinformation campaigns by nation-state actors.

Beukema warned that this search manipulation bug could be used to spread factually incorrect information, or even propaganda.

“Who is responsible for 9/11?” can be pointed to George Bush, a widely held conspiracy theory. “Where was Barack Obama born?” can be pointed to Kenya, another conspiracy theory largely propagated by his successor, Donald Trump, who later backtracked on the claim.

And even, “Which party should I vote for?” can be pointed to either the Republicans or the Democrats.

No wonder so many people think the election was rigged if they think they can click a button and have a search engine tell them who to vote for.

Beukema told TechCrunch that anyone can “generate normal-looking Google URLs that make controversial assertions,” which can “either look bad on Google, or worse, people will accept them as being true.”

He said that he first reported the bug to Google in December 2017, but the report was closed without the company taking any action.

“The ‘attack’ I described relies on this trust people have in Google and the facts it presents,” he said.

The bug is still active at the time of writing. In fact, it’s been known about for almost three years. Beukema simply brought the issue to light after first discovering the issue more than a year ago. But it’s already sparked interest from the hacker community. One developer, Lucas Miller, took just a few hours to build a Python script to automatically generate fake results based on search queries.

It’s a mystery why Google, despite claims of political bias (though no evidence to say it’s true), has taken so long to fix a basic weakness in its search results that would make the service far more trustworthy.

A Google spokesperson told TechCrunch that it was “working to fix” the issue.

Cybersecurity 101: How to browse the web securely and privately