41 comments

[ 1.7 ms ] story [ 96.9 ms ] thread
Mining Monero on googlebot anyone?
It's not going to stay long enough on one page to do so.
Then distribute it over more than one page.
it stays on a page for 30 seconds, and has a pretty decent CPU.

I'm going to guess you could get a decent amount of monero mined...

Googlebot will only visit a page if it thinks that (on average across the domain), there are ~99 human visitors for every bot visit. So you'll have to hide the monero miner on a popular domain.

That definitely is not true. I know sites that have higher share of bot visits than 1%.
"Since Googlebot executes Javascript, this allows an attacker to craft XSS URLs that can manipulate the content of victim sites."

In some imaginary future with ubiquitous headless browser-based bots, having Javascript disabled might actually be a good test for "Are you human?"

No fix citing "internal communication difficulties", perhaps Google could use, I don't know, some kind of tool. I too work for a huge company, and oddly enough we also have communications difficulties sometimes despite all of our tools. But we not a technology company, seems like a Google should be better at this.
"internal communication difficulties" does not mean "I can't talk to the person", it means political infighting or the responsible team doesn't care/see it as a problem.
There is probably a long winded explanation somewhere how this is actually a feature and not an exploit.
Well, how are you going to fix it without removing important features like submitting pages to the index? There are no perfect XSS auditors; you can fairly consistently work around Chrome’s, which is why they’re giving up on it now.

I don’t see any realistic solution to this problem.

I can imagine the search teams response now...

"If your site has an XSS, then anyone can make any content appear on that domain... So why's it so bad if anyone can also make anything appear on the domain in Google Search? - we're just reflecting reality.

Next you guys will report that you wrote a comment in hackernews and that appeared on google search too!"

> No fix citing "internal communication difficulties", perhaps Google could use, I don't know, some kind of tool.

That's the problem: half the team was using Google Hangouts, the other half of the team were using Google Meet, and three random guys are using Allo.

Don't forget the one stubborn person still using Wave
Nicely laid out for the black hatters!
Hard to decide. Should the white hatters get enough information to deal with a problem at the risk of informing the black hatters something they did not know?

Or do you assume the black hatters already have access to all the information they want to know, and it is only the white hatters who are left in the dark by hiding information ?

They are probably already aware of this if they do this sort of black hat SEO type stuff.
Yeah, this particular technique is as old as the hills.

CVE-2007-1287 was abused for this specific purpose over a decade ago, and remnants of that still occasionally show up in google indexes.

Here are the steps to reproduce the attack from what I gather:

1. Find a vulnerable site. The author picked Revolut, a 3-year old, well-funded fintech startup. Others might be found at https://www.openbugbounty.org.

2. Inject the script. The author did so by tacking a URL parameter containing script content to a link he obtained from the Revolut site.

3. Preview the attack with Google's Web Rendering Service, which apparently uses the same version of Chrome used by Googlebot.

4. Submit the link to Googlebot for crawling.

5. View the cached page from the Google results page.

> I reported this to Google in November 2018, but after 5 months they had made no headway on the issue (citing internal communication difficulties), and therefore I’m publishing details such that site owners and companies can defend their own sites from this sort of attack. Google have now told me they do not have immediate plans to remedy this.

Translation: Google declares open season on this attack.

>Google declares open season on this attack.

This has always been the case, people have been exploiting this for at least a decade.

The thing with this vulnerability is that it is just an XSS.

It has nothing to do with Google apart from the fact they don't run GoogleBot using a recent version of Chrome.

The other thing is that if I understand correctly, this could work without JavaScript. You could just inject HTML <a> tags to inject links in XSS vulnerable website.

PS: Apparently Google Bot has been updated to the latest version of Chromium which means it is even less a vulnerability on Google's side.

Exactly. The breathlessness of the article made no sense to me. It's like someone writing, "Did you know that if someone breaks into your home, they can rearrange the books on your bookshelf‽" Well, yes, of course they can but if someone has broken into my house, unauthorized alphabetization is the least of my worries.

Similarly, if there's an XSS vulnerability on my site, Google search index manipulation is pretty far down on the list of things I'm going to be worried about.

Think of it more like a DDOS. If they break into your house, you have bigger worries. If they break into the houses of a hundred thousand strangers, and use them to demonstrate that their site should get all the search results and your site goes on page 5, what can you do?
My compliments on "unauthorized alphabetization".

(and the interrobang, obviously)

  It has nothing to do with Google
Some people might expect Google to detect and block black hat SEO techniques? And see this behaviour as Google erroneously miscounting links to pages?
The links won't really matter though, because they don't have value. You need somebody to link to the XSS'd URL for the links to help you with SEO, preferably linking to it from the legit page - which will generally not happen, and if you can make it happen, you don't need this attack, you can just link to your page directly.
brilliant use of XSS here. This is just great.
This is actually not bad. Maybe it will make site developers aware of XSS and motivates to fix it?

It isn't Google's job to fix your broken sites.

I accidentally found this circa 2008. I found a xss vulnerability on a local news website, where I could inject js into the webpage URL.

I then posted a poc on my blog. The poc will create a img link to my blog.

To my surprise my blog ranked 2nd for the news name. The only explanation that I can think of was googlebot followed the poc link and thought the news site has a link to my blog. Of course this is only possible if googlebot execute js, which was not a standard for other crawlers at that time.

I believe the blackhat term for this is Google Bowling. Correct me if I'm wrong.

I'm curious if the author had just injected a URL as plaintext, no JS involved, does the Googlebot also follow strings that just look like URLs?
Looks like Tom's blog is toast atm - 502 error. This is why we can't have nice things.