Google will finally be working to fix a bug in its search engine that allowed results to be spoofed and was first reported by Wietze Beukema in 2017. The UK-based security expert recently put together a detailed blog post outlining the bug, which relies on the shareability of the “knowledge cards” that appear alongside some search results on the site. Summarily, the bug hinges on the unique ‘kgmid’ designators that are assigned to individual cards and that are discoverable simply by clicking the share button on one of those cards. The number can be found simply by clicking on the share button on a card and then copying and pasting the subsequent short link into the URL bar or Omnibox. The ID number is clearly visible in the URL and can be copied out for use in a spoofed search query. By pasting that identification number to the end of any search result’s URL behind an ampersand, the copied card can be forced to display alongside the standard page that’s returned. Following that identifier with a second ampersand and the term “kponly” results in only the card appearing on the search page — as shown in the image below.
A long timeline on the fix
After Mr. Beukema first wrote about the issue, the story was picked up by the news and appears to have been spotted by Google. The security expert has since reported via Twitter that Google is “working on a fix” for the problem after the company spotted the story on TechCrunch. But the search giant has not offered any kind of timeline for when the fix might be implementing and this isn’t the first time the company has heard of the issue. When Mr. Beukema first filed a bug report on the matter in 2017, that report was allegedly closed and dismissed because it wasn’t deemed a severe enough problem to warrant attention. So there’s no guarantee that the fix will arrive quickly.
The severity of the problem
At first glance, the potential issues that could arise while the bug is still present may seem relatively harmless compared to similar bugs that allowed for the theft of $50 million in cryptocurrency early last year. As Mr. Beukema notes, that isn’t necessarily the case. With the rise concerns about fake news and the ease with which the bug is put to use, legitimate search results could be tampered and shared to propagate conspiracy theories and mislead those who are exposed to it. A bad actor might, for example, spoof the results of a search for “the world’s largest terrorist organization” so that it returns cards for FEMA or The American Red Cross. The biggest threat from queries that have been tampered with, however, might actually be most damaging to Google itself. Setting aside recent claims that Google might be biased in its search engine and similar sentiments that could be exacerbated by spoofed searches, the company has largely built its reputation on the trustworthy nature of its searches. The problem could eventually cause public trust in Google to diminish.