As a result, Tom Anthony decided to publish information about the vulnerability in public access to inform about the potential threat to site owners. However, he noted that Google checked his article before publication.
Brief description of the problem
Since Googlebot is based on Chrome 41, it does not have the XSS Auditor function, which is used in later versions of the browser to protect users from XSS attacks. Meanwhile, many sites are subject to attacks that allow you to manipulate the URL to introduce JS-code.
Tom Anthony notified Google about this vulnerability in November 2018, but the company did not consider it necessary to close it.
SEO community reaction
Western experts, including the founder of Moz Rand Fishkin and SEO consultant Cyrus Shepard , appreciated the publication of this information:
A Google representative commented on Search Engine Land with the following:
“We are grateful to the researcher who brought this problem to our attention. We investigated, but did not find any evidence that [this vulnerability] is being abused. However, we remain vigilant and ready to protect our systems and make changes if necessary. ”