it stays on a page for 30 seconds, and has a pretty decent CPU.
I'm going to guess you could get a decent amount of monero mined...
Googlebot will only visit a page if it thinks that (on average across the domain), there are ~99 human visitors for every bot visit. So you'll have to hide the monero miner on a popular domain.
No fix citing "internal communication difficulties", perhaps Google could use, I don't know, some kind of tool. I too work for a huge company, and oddly enough we also have communications difficulties sometimes despite all of our tools. But we not a technology company, seems like a Google should be better at this.
"internal communication difficulties" does not mean "I can't talk to the person", it means political infighting or the responsible team doesn't care/see it as a problem.
Well, how are you going to fix it without removing important features like submitting pages to the index? There are no perfect XSS auditors; you can fairly consistently work around Chrome’s, which is why they’re giving up on it now.
I don’t see any realistic solution to this problem.
"If your site has an XSS, then anyone can make any content appear on that domain... So why's it so bad if anyone can also make anything appear on the domain in Google Search? - we're just reflecting reality.
Next you guys will report that you wrote a comment in hackernews and that appeared on google search too!"
Hard to decide. Should the white hatters get enough information to deal with a problem at the risk of informing the black hatters something they did not know?
Or do you assume the black hatters already have access to all the information they want to know, and it is only the white hatters who are left in the dark by hiding information ?
Here are the steps to reproduce the attack from what I gather:
1. Find a vulnerable site. The author picked Revolut, a 3-year old, well-funded fintech startup. Others might be found at https://www.openbugbounty.org.
2. Inject the script. The author did so by tacking a URL parameter containing script content to a link he obtained from the Revolut site.
3. Preview the attack with Google's Web Rendering Service, which apparently uses the same version of Chrome used by Googlebot.
4. Submit the link to Googlebot for crawling.
5. View the cached page from the Google results page.
> I reported this to Google in November 2018, but after 5 months they had made no headway on the issue (citing internal communication difficulties), and therefore I’m publishing details such that site owners and companies can defend their own sites from this sort of attack. Google have now told me they do not have immediate plans to remedy this.
Translation: Google declares open season on this attack.
The thing with this vulnerability is that it is just an XSS.
It has nothing to do with Google apart from the fact they don't run GoogleBot using a recent version of Chrome.
The other thing is that if I understand correctly, this could work without JavaScript. You could just inject HTML <a> tags to inject links in XSS
vulnerable website.
PS: Apparently Google Bot has been updated to the latest version of Chromium which means it is even less a vulnerability on Google's side.
Exactly. The breathlessness of the article made no sense to me. It's like someone writing, "Did you know that if someone breaks into your home, they can rearrange the books on your bookshelf‽" Well, yes, of course they can but if someone has broken into my house, unauthorized alphabetization is the least of my worries.
Similarly, if there's an XSS vulnerability on my site, Google search index manipulation is pretty far down on the list of things I'm going to be worried about.
Think of it more like a DDOS. If they break into your house, you have bigger worries. If they break into the houses of a hundred thousand strangers, and use them to demonstrate that their site should get all the search results and your site goes on page 5, what can you do?
The links won't really matter though, because they don't have value. You need somebody to link to the XSS'd URL for the links to help you with SEO, preferably linking to it from the legit page - which will generally not happen, and if you can make it happen, you don't need this attack, you can just link to your page directly.
I accidentally found this circa 2008. I found a xss vulnerability on a local news website, where I could inject js into the webpage URL.
I then posted a poc on my blog. The poc will create a img link to my blog.
To my surprise my blog ranked 2nd for the news name. The only explanation that I can think of was googlebot followed the poc link and thought the news site has a link to my blog. Of course this is only possible if googlebot execute js, which was not a standard for other crawlers at that time.
I believe the blackhat term for this is Google Bowling. Correct me if I'm wrong.
41 comments
[ 1.7 ms ] story [ 96.9 ms ] threadI'm going to guess you could get a decent amount of monero mined...
Googlebot will only visit a page if it thinks that (on average across the domain), there are ~99 human visitors for every bot visit. So you'll have to hide the monero miner on a popular domain.
(Disclosure: I work for Google)
In some imaginary future with ubiquitous headless browser-based bots, having Javascript disabled might actually be a good test for "Are you human?"
I don’t see any realistic solution to this problem.
"If your site has an XSS, then anyone can make any content appear on that domain... So why's it so bad if anyone can also make anything appear on the domain in Google Search? - we're just reflecting reality.
Next you guys will report that you wrote a comment in hackernews and that appeared on google search too!"
That's the problem: half the team was using Google Hangouts, the other half of the team were using Google Meet, and three random guys are using Allo.
Or do you assume the black hatters already have access to all the information they want to know, and it is only the white hatters who are left in the dark by hiding information ?
CVE-2007-1287 was abused for this specific purpose over a decade ago, and remnants of that still occasionally show up in google indexes.
1. Find a vulnerable site. The author picked Revolut, a 3-year old, well-funded fintech startup. Others might be found at https://www.openbugbounty.org.
2. Inject the script. The author did so by tacking a URL parameter containing script content to a link he obtained from the Revolut site.
3. Preview the attack with Google's Web Rendering Service, which apparently uses the same version of Chrome used by Googlebot.
4. Submit the link to Googlebot for crawling.
5. View the cached page from the Google results page.
> I reported this to Google in November 2018, but after 5 months they had made no headway on the issue (citing internal communication difficulties), and therefore I’m publishing details such that site owners and companies can defend their own sites from this sort of attack. Google have now told me they do not have immediate plans to remedy this.
Translation: Google declares open season on this attack.
This has always been the case, people have been exploiting this for at least a decade.
It is no longer true: https://searchengineland.com/google-will-ensure-googlebot-ru...
It has nothing to do with Google apart from the fact they don't run GoogleBot using a recent version of Chrome.
The other thing is that if I understand correctly, this could work without JavaScript. You could just inject HTML <a> tags to inject links in XSS vulnerable website.
PS: Apparently Google Bot has been updated to the latest version of Chromium which means it is even less a vulnerability on Google's side.
Similarly, if there's an XSS vulnerability on my site, Google search index manipulation is pretty far down on the list of things I'm going to be worried about.
(and the interrobang, obviously)
It isn't Google's job to fix your broken sites.
I then posted a poc on my blog. The poc will create a img link to my blog.
To my surprise my blog ranked 2nd for the news name. The only explanation that I can think of was googlebot followed the poc link and thought the news site has a link to my blog. Of course this is only possible if googlebot execute js, which was not a standard for other crawlers at that time.
I believe the blackhat term for this is Google Bowling. Correct me if I'm wrong.
or open the main url with firefox browser: http://bedbreakfast.be/en/tunis-662?slt_city=%3C/script%3E%3...
Is PageRank still used by Google?
(@methode works for Google)
> Ex-Google-Search engineer here
> The comments here that PageRank is Google's secret sauce also aren't really true - Google hasn't used PageRank since 2006.
[0] https://news.ycombinator.com/item?id=20442044