Google has not closed the vulnerability that allows you to make XSS-attacks on Googlebot

2 minutes read

5 months ago Distilled agency employee Tom Anthony discovered a vulnerability that allows Googlebot to be manipulated to execute JavaScript and index its changes, including links. The researcher notified Google of his discovery, but the company did not close this gap.

As a result, Tom Anthony decided to publish information about the vulnerability in public access to inform about the potential threat to site owners. However, he noted that Google checked his article before publication.

Tweets by TomAnthonySEO

Brief description of the problem

Since Googlebot is based on Chrome 41, it does not have the XSS Auditor function, which is used in later versions of the browser to protect users from XSS attacks. Meanwhile, many sites are subject to attacks that allow you to manipulate the URL to introduce JS-code.

Since Googlebot executes JavaScript, it allows a hacker to create XSS URLs that can manipulate the content of victim sites. These manipulations may include the addition of links that Googlebot will go to in order to crawl the site to which they lead. This, presumably, makes possible manipulations with PageRank, although this hypothesis has not been tested because of fear of damaging the ranking of sites.

Tom Anthony notified Google about this vulnerability in November 2018, but the company did not consider it necessary to close it.

SEO community reaction

Western experts, including the founder of Moz Rand Fishkin and SEO consultant Cyrus Shepard , appreciated the publication of this information:

Yikes. Better make sure your sites are protected, especially if you're a likely link or content injection target. Thanks to @TomAnthonySEO for the transparency:

— Rand Fishkin (@randfish) May 1, 2019

Amazing Google vulnerability exposed by @TomAnthonySEO, which can be exploited for SEO

"XSS attacks on Googlebot allow search index manipulation"

Most interesting is they don't seem interested in fixing it. Does this mean Googlebot is ditching Chrome 41?

— Cyrus (@CyrusShepard) May 2, 2019

Google comment

A Google representative commented on Search Engine Land with the following:

“We are grateful to the researcher who brought this problem to our attention. We investigated, but did not find any evidence that [this vulnerability] is being abused. However, we remain vigilant and ready to protect our systems and make changes if necessary. ”


Facebook Twitter LinkedIn Telegram Pocket

Related Posts:

A vulnerability such as XSS (cross-site scripting) has been discovered in the popular WordPress All-in-One SEO Pack plugin . This is reported on the website of the WPScan Vulnerability Database. Cross-site scripting (XSS) is a type of software vulnerability th...
A serious vulnerability was discovered in the popular WordPress WP Google Maps plugin , allowing hackers to take control of the site. This is reported on the WPScan Vulnerability Database page . At the moment, this vulnerability is already closed, and therefor...
The other day, Google shared new details of the updated Googlebot, which will now always be based on the latest version of Chromium. Old user agent As it turned out, Google did not change the user agent for Googlebot and still uses the old version that mention...