As a result, Tom Anthony decided to publish information about the vulnerability in public access to inform about the potential threat to site owners. However, he noted that Google checked his article before publication.
Tweets by TomAnthonySEO
Brief description of the problem
Since Googlebot is based on Chrome 41, it does not have the XSS Auditor function, which is used in later versions of the browser to protect users from XSS attacks. Meanwhile, many sites are subject to attacks that allow you to manipulate the URL to introduce JS-code.
Tom Anthony notified Google about this vulnerability in November 2018, but the company did not consider it necessary to close it.
SEO community reaction
Western experts, including the founder of Moz Rand Fishkin and SEO consultant Cyrus Shepard , appreciated the publication of this information:
Yikes. Better make sure your sites are protected, especially if you're a likely link or content injection target. Thanks to @TomAnthonySEO for the transparency: https://t.co/9UDbiQ620C pic.twitter.com/sTzFKyBD2C
— Rand Fishkin (@randfish) May 1, 2019
Amazing Google vulnerability exposed by @TomAnthonySEO, which can be exploited for SEO
"XSS attacks on Googlebot allow search index manipulation"
Most interesting is they don't seem interested in fixing it. Does this mean Googlebot is ditching Chrome 41?https://t.co/a48mTXhGN1 pic.twitter.com/JC8nnmbwOk
— Cyrus (@CyrusShepard) May 2, 2019
A Google representative commented on Search Engine Land with the following:
“We are grateful to the researcher who brought this problem to our attention. We investigated, but did not find any evidence that [this vulnerability] is being abused. However, we remain vigilant and ready to protect our systems and make changes if necessary. ”