A year and a half ago Google began supporting the cross domain canonical tag and some people were concerned there would be ways to abuse the system. Well, even Google was concerned, which is why they waited ten months to introduce the cross domain version of the canonical tag.
I've haven't heard much of people complaining that their site was negatively impacted by the tag.
But now, it seems like hackers who focus on SEO hacking, have been recently targeting vulnerable sites and stealing (or hijacking) their traffic with this tag.
A WebmasterWorld thread has well-known moderator, goodroi, reporting he is seeing hackers exploit this tag now.
It isn't an issue with the canonical tag specifically, but rather hackers gaining access to a server and the site's code and basically redirecting the domain name to a third-party site. goodroi said:
I came across a website with canonical tags setup on all of their pages and they were pointing to a spam site. I suspect someone hacked in and changed the canonical tags to siphon link juice. Now that cross cross-domain canonical tags are supported I would not be surprised if this becomes more common.The canonical tag is a small line of code that is easy to overlook despite its large implications.
It is so important to stay on top of your security patches and make sure your sites are hacker-free - if there is such a thing. The canonical tag is almost as strong and setting up a 301-redirect from a domain to a different domain. So be careful!
Forum discussion at WebmasterWorld.
Update: Matt Cutts of Google wrote a blog post just now on the topic, without referencing either the thread or this post directly, saying:
Another example where we might not go with your rel=canonical preference: if we think your website has been hacked and the hacker added a malicious rel=canonical. I recently tweeted about that case. On the “bright” side, if a hacker can control your website enough to insert a rel=canonical tag, they usually do far more malicious things like insert malware, hidden or malicious links/text, etc.
How would Google know if it is hacked? Well, they are pretty good at knowing that. But also, if the rel=canonical is not in the header, i.e. rather in the body - Google won't trust it. In fact, if you want the rel=canonical to work, Matt recommends you "make sure that the rel=canonical is the first or one of the first things in the HEAD section."
Got that?
