Knowledge Graph 'bug' makes it possible to spoof Google search results
A security specialist has discovered a bug in Google's Knowledge Graph -- the cards that appear at the top of search results to highlight key pieces of information and provide quick answers to questions-- which makes it not only possible, but simple to manipulate search results.
Wietze Beukema has demonstrated how it is possible to make simple tweaks to a search URL and display a knowledge panel card containing whatever data you want. While it is not possible to change the results that appear when people conduct a search, the bug means that fake links can be shared with others, displaying false information to mislead people.
- Privacy-focused DuckDuckGo finds Google personalizes search results even for logged out and incognito users
- Google rolls out spam protection to Android Messages
In reality, this is not the first time this bug has been highlighted -- Search Engine Land wrote about it back in 2017, for example -- but now it is gaining more attention. In a post on his blog, Beukema -- who points out that he reported the bug a year ago -- explains how Knowledge Graph cards can be easily associated with any search result:
If you click on the share button -- present on every card - you’ll be given a shortened link (a https://g.co/ address). Following this link will redirect you back to google.com with the original search query. What’s different however are the parameters used: the URL will contain a &kgmid parameter. The value of this parameter is the unique identifier of the Knowledge Graph card shown on the page.
As it turns out, you can add this parameter to any valid Google Search URL, and it will show you the Knowledge Graph card next to the search results of the search query. For instance, you can add the Knowledge Graph card of Paul McCartney (kgmid=/m/03j24kf) to a search for the Beatles, even though that card would normally not appear for that query.
While this can be helpful, this also means you can link up different pieces of information and give the impression they are related. Adding Paul McCartney's Knowledge Graph card to a search query for the Rolling Stones doesn’t make much sense, but if I give this link to my friend who doesn’t know much about music, she might think McCartney was a member of the Rolling Stones. By looking at the search results however, it's easy to find out this is not the case.
As the URL manipulation involves nothing more than tweaking parameters at the end of an address, when it is shared it appears -- and, indeed, is -- a genuine Google URL. Beukema demonstrates the potential of the spoofing trick by tacking a Knowledge Graph card about Pope Francis to a search about who endorsed Donald Trump. The same technique can be used in a variety of ways, and he warns that "a malicious user can use this to generate false information or 'fake news'".