Tom Anthony after 5 months of informing Google about a way to manipulate Googlebot to execute Javascript on other people's websites where Google can and will index those changes, including links, he decided to publish the details publicly, since Google didn't take action.
Google told us at Search Engine Land "We appreciate the researcher bringing this issue to our attention. We have investigated and have found no evidence that this is being abused, and we continue to remain vigilant to protect our systems and make improvements."
Yea - okay, well, now they need to go fix it. It is sad to hear that they have known about this for 5 months and have yet to fix it. It reminds me of when they knew about the knowledge panel exploit for years and didn't fix that until it became a huge issue.
Here are some tweets about this from folks in the industry:
Amazing Google vulnerability exposed by @TomAnthonySEO, which can be exploited for SEO
— Cyrus (@CyrusShepard) May 2, 2019
"XSS attacks on Googlebot allow search index manipulation"
Most interesting is they don't seem interested in fixing it. Does this mean Googlebot is ditching Chrome 41?https://t.co/a48mTXhGN1 pic.twitter.com/JC8nnmbwOk
Yikes. Better make sure your sites are protected, especially if you're a likely link or content injection target. Thanks to @TomAnthonySEO for the transparency: https://t.co/9UDbiQ620C pic.twitter.com/sTzFKyBD2C
— Rand Fishkin (@randfish) May 1, 2019
Nice write up. With regards the disclosure... I believe releasing it is the best course of action. Google confirmed it was not going to be fixed and the only way for people to protect themselves is to know about it. Google reviewed my post before it was released. :)
— Tom Anthony (@TomAnthonySEO) May 2, 2019
Tom goes through how to accomplish this on his blog in detail and I suspect Google will now have to race to fix the issue before some take advantage of it - if Google is telling the truth that no one has yet used this method. Of course, webmasters should make sure their sites against XSS exploits but there are lots of web sites out there that probably are not.
Forum discussion at Twitter.
