Google Knowledge Panel Hijack Explained


ZDNet reported that a security researcher discovered that Google’s Knowledge Panels can be manipulated. The security researcher notified Google a year ago but Google declined to patch the alleged exploit.  A possible reason may be because it’s not really a hijacking exploit.

Yet, there may be reasons why Google should consider resolving this issue.

This is not a Hijacking Exploit

The alleged hijacking exploit allows anyone to alter Google’s Knowledge Panel so that they can insert any other knowledge panel into as many search results as they wish.

Here are the search results for Who is the Best SEO? 

Screenshot of what appears to be an altered search result on GoogleScreenshot of what appears to be an altered search result that shows a fictional film character in the Knowledge Panel for the search phrase, “Who is the Best SEO?”

As you can see, I was able to use the so-called exploit to generate a search result that obviously was altered. Click here to see it for yourself.  It’s shockingly easy to do. Anyone can do it.

But it’s not really a hijack of Google’s search results.

Why it is Not a Manipulation of Search Results

The report on ZDNet claims in the title that, “Google search results listings can be manipulated for propaganda.”

While that’s technically true, there’s more to it than the headline explains.

The so-called exploit does not alter Google’s search results at Google or for anyone other than the person looking at a specific URL.

What this so-called hijack does is allow someone to play around with the URL parameters in order to generate a modified version of Google’s search results.

What are URL Parameters?

A URL parameter is code in the URL. Everything that comes after a question mark (?) in the URL is a parameter in the URL.

Screenshot of a browser URL bar showing an example of what a URL Parameter is. It's generally whatever comes after a question mark in the URL

The URL parameters are data that pass information to the server. Depending on how the server is set up, it can tell the server what site you clicked through from or what browser you are using. The server then uses that information to alter the search results.

In this case, the URL…


Read More Here