Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google 302 Exploit Knocks Sites Out

Posted by CmdrTaco on from the that-hurts-me dept.

clsc writes "The exploit: Redirect via 302 to another page of your choice, then watch as the URL of your redirect script replaces the URL of that carefully selected page in Google's search results. Once this happens, feel free to redirect any visitor that is not Googlebot to any other page of your choice. Also applies to other search engines as well (not Yahoo! though)."

20 of 410 comments (clear)

  1. Yikes! by LinuxGeek · · Score: 5, Funny

    Web wide malware. The return of Goatse cannot be far behind... Pun intended.

    --

    Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
    1. Re:Yikes! by Silverlancer · · Score: 5, Funny

      Apparently slashdot has been hit! A mischevious hacker has added a second "your" to the article:

      "The exploit: Redirect via 302 to another page of your choice, then watch as the URL of your your redirect script..."

  2. Splendid by Netsensei · · Score: 5, Insightful

    1. post how to generate more traffic to one's website by exploiting a flow in google on /.
    2. show a "random" ad (336px by 280 px) promoting 'google adsense' clearly stating "how to turn your website into a revenue generator in minutes" at said post.

    ...

    3. $$$

  3. goog by kloidster · · Score: 5, Funny

    SELL SELL SELL SHORT!!!!

  4. yawn by evenprime · · Score: 5, Funny

    boy, sending me to the wrong page is such a scary and horrible thing to do. Luckily my browser came equipped with the special "back button" anti-malware plugin.

    --

    "Weapons should be hardy rather than decorative" - Miyamoto Musashi
    I think that goes for OS's too
    1. Re:yawn by goldspider · · Score: 5, Funny

      Obviously you've never tripped a well-concealed Goatse landmine. No browser is equipped to deal with that kind of damage!

      --
      "Ask not what your country can do for you." --John F. Kennedy
    2. Re:yawn by R.Caley · · Score: 5, Funny
      it will be when your 14 year old boy searches for something for his research paper and gets redirected to pr0n instead.

      God knows, 14 year old boys need to be tricked to make them look at porn.

      --
      _O_
      .|<       The named which can be named is not the true named
    3. Re:yawn by Anonymous Coward · · Score: 5, Insightful

      I don't know if you're a father or something, but I was less than 10 years old when I first looked at porn and it was love at first sight! That did not make me a sick pervert: I'm a engineer now and I don't regret a second having looked at porn magazines in my youth.

    4. Re:yawn by MadMartigan2001 · · Score: 5, Insightful

      Hmmm, lets see if we can calculate this...

      Research paper = good
      Porn = bad
      Young boy = Becomming a sexual being

      Grand total = Neurotic young man who feels guilty for acknowledging his sexual feelings.

      Why is it so hard for some people to acknowledge the simple fact that young people of all ages have sexual feelings that are natural. And to repress those feelings and smother them in guilt is a very very damaging thing to do.

      OH ya, I forget, all the fundamentalist (pick any religion) know exactly how we are all supposed to feel. Excuse me while I go puke!

    5. Re:yawn by Anonymous Coward · · Score: 5, Funny

      "I swear Dad, I was just looking up stuff for my... uh... research paper, when suddenly, I was redirect to goatse!"

      "That's fine, but why is that wine bottle shoved in your ass?"

      "It was a one in a million shot, I tell ya..."

    6. Re:yawn by john.mull · · Score: 5, Insightful

      [diatribe]

      Having the feelings is natural. Natural as in God gave them to us as a part of our physical being. There might be debate as to whether they are there for procreation only, which depends on your version of extremism. However, the feelings ARE natural and purposefully put there.

      That does NOT mean that they should be acted on. As a fallen creature, we also have the urges to lie, cheat, steal, hurt others, and even hurt ourselves. These tendencies are seen negatively and should be. We do need to edit our responses to our feelings, sexual or not.

      Choosing to feel how I want - now that's complete freedom. Unfortunately, we aren't given that freedom. Instead, we choose between right and wrong. A moral choice based on morality which can not be defined independly from God.

      [/diatribe]

      End product? Surpression is not the only alternative to acting on them. Elimination of temptation is a good way also. Don't watch that National Geographic special on that lost Amazon tribe. Don't buy the Sports Illustrated swim suit edition. (You should have seen the look on the Best Buy cashier's face (a guy), when I demanded that he remove the SI software/magazine display from the counter. It was offensive. He thought I was kidding. I was not. It was a priceless look.)

      You can choose to avoid the temptation. Divert your eyes. Divert your thoughts. What are the guidelines? Not mine to say, but it can be done.

      john.mull

      --
      Isaiah 43:19 (NCV)
      Look at the new thing I am going to do. It is already happening. Don't you see it?
    7. Re:yawn by BoomerSooner · · Score: 5, Insightful

      Because we live in Conservative America where a breast is a horrible blight on society. I love going to Europe where shower commericals show nude women and noone seems to give a shit. Not to mention people on the beaches.

      What the fuck is wrong with people in this country. Oh yea, sex is evil & a sin if it's not for procreation. Religion is the root of all evil.

  5. Google can't be wrong by Anonymous Coward · · Score: 5, Funny

    Insert MS blame here

  6. Re:everybody uses 302 by Anonymous Coward · · Score: 5, Informative

    Hey look! Someone forgot to RTFA!

    You use 302 to hijack someone else's page in Google's search results. Your bogus ad infested page shows up instead of the actual content the user was searching for (and thought they were going to see), while the real website that you hijacked doesn't get any more Google traffic. That's the exploit.

    Dumbass.

  7. Re:The dark path by filmmaker · · Score: 5, Insightful

    This is totally true.

    There are basically two schools of thought in SEO as I've seen it. You can either try and be everywhere (spamming by creating zillions of pages and links) or you can be interesting (like this blog; people want to come here, instead of needing to be tricked).

    Unfortunately, most people are about as interesting as watching grass grow, and they know it. So they spam the search engines and aim for the lowest common denominator. Sad, really.

    --
    I Want To Believe
  8. Re:WTF by LiquidCoooled · · Score: 5, Insightful

    If the googlebot scans the redirected page and assigns weights based on the end result page, but assigns the ranking to your original page, then you are essentially stealing pagerank from the proper host.

    That is my understanding of the problem, and part of the reason why redirects appear to get higher rankings than simply copy and pasting somebodies content.

    As for covert googlebots, I'm sure they exist as R&D items, but doubt they would be setup in the manner you describe.

    --
    liqbase :: faster than paper
  9. Further Reading by mike2R · · Score: 5, Informative

    The main thread about this on WebMasterWorld is over 500 posts now.. lots of good info there.

    --
    This sig all sigs devours
  10. Wait... by zBoD · · Score: 5, Funny

    Do you mean this is not www.kuro5hin.org ??

    --
    BoD
  11. Re:Fake Banks by R.Caley · · Score: 5, Insightful
    I use google all the time if I'm on someone else's computer since my bank has a strange URL

    You access your bank from a computer you don't have complete control of?

    Have you considered tapdancing in minefields as an alternative?

    --
    _O_
    .|<     The named which can be named is not the true named
  12. Why This is Such a Big Deal (A Summary) by Anonymous Coward · · Score: 5, Informative

    There seems to be a lot of confusion as to why exactly this is such a big deal. A lot of people saying there's no problem or that this is nothing... basically just not understanding the issue. Let me explain:

    Suppose you have a small business under the domain http://xyz.com/, and search engines bring you a lot of traffic because you rank high for keywords in your market. You have a lot of people out there linking to you, a lot of satisfied customers, good content on your site. You're always in the top 10 somewhere when people search for "xyz widgets".

    Well, this issue with Google makes it very easy -- incredibly easy -- for someone to knock your site out of the rankings entirely. And I mean for *everything*, to where searching for your own company name in quotes literally buries you hundreds of pages deep in the results. We're talking sites going from getting 1000 unique hits to 10 overnight.

    And here's the kicker: It requires absolutely no technical knowledge, no time investment, and is perfectly legal...

    All I have to do is have another domain handy that is roughly as popular as yours. And I make a "links" page, like one of those directory services, that lists your website. But instead of being a normal hyperlink, it's a CGI (or PHP or ASP or whatever) script that generates a 302 redirect to your domain... Now, these are very simple, common scripts. One-liners that you can download from cgiscripts.com and stick on your server. The original intent of these scripts is to track which links are being clicked on your site. But now they've found a new use, because when Google gets that 302, all hell breaks loose.

    See, according to the HTTP spec, 302 is a *temporary* redirect, which means Google is supposed to interpret whatever content it finds at the 302 target (your site) as really belonging to the URL of the source (my site). Google is just obeying the spec strictly here, and with devestating results. Why? BECAUSE THE DUPE FILTER NOW KICKS IN! You see, Google has a "dupe filter" that says if the same exact content is found for two unique URLs, then one of the URLs is obliterated in the rankings. Because after all, searchers don't want to be finding the same content over and over. If that happens, they'll start using a different search engine. But Google, sticking strictly to the HTTP spec, doesn't know who the content really belongs to when it gets a 302.

    So Google essentially flips a coin. And if it comes up tails, say bye-bye to your domain in the rankings. Your *entire* domain. Because the dupe filter isn't limited to just the page that the 302 is pointing to -- it applies across your entire domain.

    These 302 "exit-link-trackers" are all over the web. They've been used by webmasters for years. But it's just recently that Google has started treating 302 this way, so it didn't have any bad effect before. But now it kills you.

    The funny thing is, the solution seems pretty simple: Just stop treating 302s this way if they point to a different domain. But for whatever reason Google isn't listening. Hopefully the press that's being generated now will give them the kick in the ass that they need.