Google has not closed the vulnerability that allows you to make XSS-attacks on Googlebot

5 months ago Distilled agency employee Tom Anthony discovered a vulnerability that allows Googlebot to be manipulated to execute JavaScript and index its changes, including links. The researcher notified Google of his discovery, but the company did not close this gap.

As a result, Tom Anthony decided to publish information about the vulnerability in public access to inform about the potential threat to site owners. However, he noted that Google checked his article before publication.

Brief description of the problem

Since Googlebot is based on Chrome 41, it does not have the XSS Auditor function, which is used in later versions of the browser to protect users from XSS attacks. Meanwhile, many sites are subject to attacks that allow you to manipulate the URL to introduce JS-code.

Since Googlebot executes JavaScript, it allows a hacker to create XSS URLs that can manipulate the content of victim sites. These manipulations may include the addition of links that Googlebot will go to in order to crawl the site to which they lead. This, presumably, makes possible manipulations with PageRank, although this hypothesis has not been tested because of fear of damaging the ranking of sites.

Tom Anthony notified Google about this vulnerability in November 2018, but the company did not consider it necessary to close it.

SEO community reaction

Western experts, including the founder of Moz Rand Fishkin and SEO consultant Cyrus Shepard , appreciated the publication of this information:

Google comment

A Google representative commented on Search Engine Land with the following:

“We are grateful to the researcher who brought this problem to our attention. We investigated, but did not find any evidence that [this vulnerability] is being abused. However, we remain vigilant and ready to protect our systems and make changes if necessary. ”


Add a Comment

Your email address will not be published. Required fields are marked *