Google 302 Exploit Knocks Sites Out

clsc writes "The exploit: Redirect via 302 to another page of your choice, then watch as the URL of your redirect script replaces the URL of that carefully selected page in Google's search results. Once this happens, feel free to redirect any visitor that is not Googlebot to any other page of your choice. Also applies to other search engines as well (not Yahoo! though)."

Splendid

[Netsensei]

1. post how to generate more traffic to one's website by exploiting a flow in google on /.
2. show a "random" ad (336px by 280 px) promoting 'google adsense' clearly stating "how to turn your website into a revenue generator in minutes" at said post.

...

3. $$$

The dark path

[lanc]

sure. Do some 302 redirect-statistic-hack. Make money. Cheat your customers. No it's no excuse that other ones are doing it as well, bad attitude.

We are the Borg of LiarMarketing. Resistance is futile, human.

come on - get a life, be straight.

Re:everybody uses 302

[Junior J. Junior III]

It's an exploit if you can't prevent someone from misusing 302, or to filter out malicious uses of 302 from legitimate ones.

Re:yawn

[Chris Kamel]

it will be when your 14 year old boy searches for something for his research paper and gets redirected to pr0n instead.

Follow the advice

[Redwin]

In the article is says:

"For this to happen, we need to put some pressure on the search engines."

Such as posting it on /. I'm sure that would create attention!

Fake Banks

[Anonymous Coward]

The use of the exploit isn't just to childishly send people to Goatse - it's about money. What happens when you go to your bank's website and get redirected to an identical-looking website that steals your information?

Re:yawn

[Ziviyr]

Gotta be nuts to let kids roam unsupervised about the net.

Re:The dark path

[filmmaker]

This is totally true.

There are basically two schools of thought in SEO as I've seen it. You can either try and be everywhere (spamming by creating zillions of pages and links) or you can be interesting (like this blog; people want to come here, instead of needing to be tricked).

Unfortunately, most people are about as interesting as watching grass grow, and they know it. So they spam the search engines and aim for the lowest common denominator. Sad, really.

Re:WTF

[LiquidCoooled]

If the googlebot scans the redirected page and assigns weights based on the end result page, but assigns the ranking to your original page, then you are essentially stealing pagerank from the proper host.

That is my understanding of the problem, and part of the reason why redirects appear to get higher rankings than simply copy and pasting somebodies content.

As for covert googlebots, I'm sure they exist as R&D items, but doubt they would be setup in the manner you describe.

Re:Fake Banks

[millette]

euh, ssl certificates ?

Bollox

[pgregg]

It doesnt replace the URL at all. My reading is that google simply adds a new page in the database for the url you gave it. In this regard, how is this any different to a wget --mirror on the attempted "hijacked" site? Maybe more efficient but the net result is you are just trying to blag google hits of someone else's content.

PageRank _should_ sort this out as I'm sure lots more people will be linking to news.bbc.co.uk than to r.example.tld/foo/rAndoMLettERS (from the example).

Storm in a [child's] teacup.

Re:yawn

[Anonymous Coward]

I don't know if you're a father or something, but I was less than 10 years old when I first looked at porn and it was love at first sight! That did not make me a sick pervert: I'm a engineer now and I don't regret a second having looked at porn magazines in my youth.

Everyone is interesting

[Anonymous Coward]

Everyone is interesting about something.
It is when they get greedy that they start to suck.

Re:yawn

[Anonymous Coward]

It really depends on if you consider 14 year olds children or not. I know I was unsupervised even before 5th grade. I'm fairly certain that it was too early for me, but 14 sounds old enough to me.

Two words

[Anonymous Coward]

Windows firewall.

Windows firewall apparently put the rubber on any bugs out there spreading rapidly. Don't lose all hope though there's plenty of viruses that can spread the old fashioned way, through email and MSN. Not even by exploiting vulnerabilities, just by suckering people.

"Visit this URL and download and run this cool file"

I expect a nasty IM virus someday.

Re:yawn

[MadMartigan2001]

Hmmm, lets see if we can calculate this...

Research paper = good
Porn = bad
Young boy = Becomming a sexual being

Grand total = Neurotic young man who feels guilty for acknowledging his sexual feelings.

Why is it so hard for some people to acknowledge the simple fact that young people of all ages have sexual feelings that are natural. And to repress those feelings and smother them in guilt is a very very damaging thing to do.

OH ya, I forget, all the fundamentalist (pick any religion) know exactly how we are all supposed to feel. Excuse me while I go puke!

Re:Fake Banks

[R.Caley]

I use google all the time if I'm on someone else's computer since my bank has a strange URL

You access your bank from a computer you don't have complete control of?

Have you considered tapdancing in minefields as an alternative?

Re:Fake Banks

[jwin1020]

Of course hacking the root DNS servers is just a _little_ harder than putting up a web page with a redirect.

Re:Bollox

[julesh]

My understanding is that it adds the PageRank of the page you redirect to, and applies it to your site. So, you appear in the listing right next to the site you linked to, above it if you have a pagerank of your own to add. If you just copied the content, then you'd end up with your own page rank only, throwing you down at the bottom of the list somewhere...

Re:Fake Banks

[vperez]

Anyone who uses Google to search for their bank instead of getting the URL from their bank statement needs to be taught better.

Users need to be a lot less trusting of things online, especially if its the result of a search.

Re:Fake Banks

[Donny Smith]

> euh, ssl certificates ?

Errr, SSL certs what?

Once you get directed to a fake site, you can SSL all you want.

99% of people NEVER check SSL certificates but instead choose to continue encrypted access because that's the easiest thing to do.

And not to mention that most (financial enterprises excluded) SSL sites are self-signed, so there's no fucking point of looking at that crap anyway (morons who run unimportant mailing list archives on HTTPS instantly sprint to mind).

Re:yawn

[lpangelrob2]

Is mentioning porn = good and fundamentalist religion = bad the way to get modded up here now? Odd. Allow me to balance this rant.

Sex is good. Frankly, sex is great. Honestly, it's one of the best things that I've ever experienced. :-) And since it is great, these vague notions of "fundamentalist religions" that you cite never actually say "sex is bad". They do put conditions on sex, but it's up to the individual to follow them and I get the impression you aren't bound by these conditions in any event.

Porn is porn. I'm not really going to put any moral value to it, but if you can watch it without unhealthily raising your expectations for real world women, or if you can be with real world women at that point without thinking of the porn... more power to you. Some couples say it helps their sex life, but then who are you really making love to? Your spouse or your fantasy?

There are a couple thousand different ways this conversation can go from here (including offtopic :-) but I'll quit for now.

Re:yawn

[john.mull]

[diatribe]

Having the feelings is natural. Natural as in God gave them to us as a part of our physical being. There might be debate as to whether they are there for procreation only, which depends on your version of extremism. However, the feelings ARE natural and purposefully put there.

That does NOT mean that they should be acted on. As a fallen creature, we also have the urges to lie, cheat, steal, hurt others, and even hurt ourselves. These tendencies are seen negatively and should be. We do need to edit our responses to our feelings, sexual or not.

Choosing to feel how I want - now that's complete freedom. Unfortunately, we aren't given that freedom. Instead, we choose between right and wrong. A moral choice based on morality which can not be defined independly from God.

[/diatribe]

End product? Surpression is not the only alternative to acting on them. Elimination of temptation is a good way also. Don't watch that National Geographic special on that lost Amazon tribe. Don't buy the Sports Illustrated swim suit edition. (You should have seen the look on the Best Buy cashier's face (a guy), when I demanded that he remove the SI software/magazine display from the counter. It was offensive. He thought I was kidding. I was not. It was a priceless look.)

You can choose to avoid the temptation. Divert your eyes. Divert your thoughts. What are the guidelines? Not mine to say, but it can be done.

john.mull

Re:yawn

[BoomerSooner]

Because we live in Conservative America where a breast is a horrible blight on society. I love going to Europe where shower commericals show nude women and noone seems to give a shit. Not to mention people on the beaches.

What the fuck is wrong with people in this country. Oh yea, sex is evil & a sin if it's not for procreation. Religion is the root of all evil.

Re:yawn

[karnal]

You definitely need laid.

By a man.

Also, in the end of your rant, you choose to tell us that we can choose to avoid the temptation.

But prior, you're asking a Best Buy employee (who has no say on what gets placed at the counter to begin with) to remove the Swimsuit Issue.

Does it feel good that you made someone squirm? Try giving up that temptation the next time you feel all high and mighty. Making people feel uncomfortable is a temptation as well.

Re:Yikes!

[hanssprudel]

More seriously: How many of you have needed to log in to a machine remotely from some Windows PC, and just googled for "putty" and used the first link? Imagine how many machines you compromise by simply replacing putty's homepage in the rankings.

Re:yawn

[MythoBeast]

I hate to be the one to break this to you, but most people fantisize during sex. Men and women both.

Porn doesn't raise people's expectation of the habits of real women any more than romantic movies raise women's expectations of real men. They do a little, but then again there are a few real men and women who take a clue or two and get ideas from these media in order to help please their spouses, girlfriends, whatever.

As far as 14 year olds seeing porn is concerned (trying to get a little bit on topic), I'm firmly convinced that our country's simultaneous demonization and glorification of sex is one of the things that makes kids curious about it. I really wish that both groups would just stop it and start teaching children about sex as a natural human function that needs to be performed with caution and discression.

Re:yawn

[ShamusYoung]

Porn doesn't always mean nice shots of bare-breasted hotties. It ALSO can mean "married lactating grandmas doing their first anal with an underage donkey!"

If someone is doing a malicious redirect, I expect they would rather show you the latter and not the former. In either case, viewing ANY porn image can get you fired or otherwise in trouble in the right (wrong) situation.

Someone mentioned using the BACK button. Great thinking, assuming you know you've been redirected. If the page looks right and behaves properly, how many people will notice they have been redirected to www.nat1onalbank.com, and enter their personal info. Ooops! Oh well. The BACK button can let me take back my password, right?

Right?

Re:yawn

[MadMartigan2001]

"we also have the urges to lie, cheat, steal, hurt others, and even hurt ourselves"

Sorry, I do not have those feelings. If you do, you should seek help. What your feeling is not natural, nor is it healthy. And scariest of all, when talking about natural sexual desire, you use the analogy of "lie, cheat, steal, hurt others" as examples of similar human behavior. Now that, is really the telling part of your views about sexual desire, creepy.

Re:yawn

[Civil_Disobedient]

if you can watch it without unhealthily raising your expectations for real world women, or if you can be with real world women at that point without thinking of the porn... more power to you.

And if you can't, you'll probably have trouble getting/maintaining a real-life GF, which will make you d/l more porn, etc. ad. infinitum.

But so what? People can choose all sorts of ways to make themselves unappealing to the opposite sex. Maybe the moral majority should start a campaign against leisure suits.

Re:yawn

[robertjw]

And since it is great, these vague notions of "fundamentalist religions" that you cite never actually say "sex is bad".

Even though we are in serious OT territory here, I thought I would throw my two cents in. Before I start, let me make it very clear that I am a member of a "fundamentalist religion", I grew up Methodist, and have been part of a non-denominational congregation since I was 15. That said, I don't completely agree with everything the fundamentalists believe, and sex is one of the items at the top of the list that I have issues with.

Fundamentalists may not teach the "sex is bad", but they do strike a serious fear of sex in the minds of all of their teenagers. I grew up believing that having sex outside of marriage is probably the worst sin you could commit. Now I personally don't think teen sex is a good thing, really, who wants a baby at 17, but the church tends to go so far that they create (as anothe poster commented) this air for mystery about the whole thing. The church I went to often discouraged dating, kissing, being alone with someone of the opposite sex, anything that could possibly lead to sex. The problem with this is it also screws up much of a kid's psychological and sexual maturity. If you follow their rules, you never gain the experience needed to be succesful in relationships down the road. If you don't you are an outcast and a bad kid.

Why do you think that the Christian church in America has a higher divorce rate than the general population? These kids are taught that you have to be married to have sex, and it's evil to date, so they get married at 18 to the first nice christian girl the find, just so they can sleep together. Five years they figure out that they really don't like each other, or one of them wants to go sow some wild oats, so they get divorced. I've seen in many times.

I don't know what the right answer is, but the fundamentalist church is alienating itself from the common man by focusing on issues that either aren't important, aren't a sin or just aren't worth fighting about. They focus on things like sex, drinking, smoking, bad words and homosexuality, but ignore things like lying, cheating, stealing, and greed.

Re:yawn

[Jim_Callahan]

So you're saying that he should express uncertainty about something he's certain about? Oh, yeah, that would really make him more honest. Besides, you do the same thing he does in your own post. If you really lived by the philosophy you push here, you'd be saying "that which I believe can never be known by human beings," rather than just flat out asserting things.

Just a little counterflaming to remind you guys that anti-religion has become just as ridiculously dogmatic as religion. (Bwahahaha)

Re:yawn

[Woody77]

If you have an addictive personality, anything can be addictive and ruin your life.

Re:yawn

[snorklewacker]

Wow, thank you for that eloquent summation. It so well summarizes what I was taught, what I believed, and why I later repudiated utterly the entire belief and community that reinforced this warped worldview.

You want to remove your temptations? Stay the fuck home and leave the rest of us alone then.

Re:yawn

[d34thm0nk3y]

I am a member of a "fundamentalist religion", I grew up Methodist, and have been part of a non-denominational congregation since I was 15. That said, I don't completely agree with everything the fundamentalists believe,

Then you are not a fundamentalist. Nor would I consider a "non-denominational congregation" a fundamentalist church in general.

Is mentioning porn = good and fundamentalist religion = bad the way to get modded up here now? Odd..

As for the GP the answer is yes because it is true.

Re:yawn

[mysticgoat]

There is a definite difference between being certain in your faith (internally) and claiming as fact (externally) that which cannot be tested or demonstrated by human means. Yes, there are human limitations, but this is not my belief, since I can demonstrate it with the same solidity that I can use to demonstrate the facts of gravity:

For instance, we have an inability to know Pi with absolute precision. Perhaps a god could know Pi with perfect precision, or perhaps not... but there are proofs that it cannot be known within human experience. Another instance: not only can we not measure our ability to use our human imagination, we cannot even conceive of a yardstick that would allow such a measure. We are limited in our ability to comprehend this core part of our nature.

This argument has been presented so many times before, and in so many different formal logical systems, that it can be accepted as a kind of universal axiom (like Plank's Constant, for instance). You can get to it as an extension of the cosmologist's anthropic principle, but there are also ways to get to it from any world view that is not arbitrarily dismissive of new information about the world.

Someone needs to mod this as "-1 infantile philosophy". I think I've been suckered by trolls...

Re:yawn

[0x000000]

Americans are so uptight about what they see. In europe we do not like violence, movies on TV can have all the nudity they want, but violence is looked down upon.

When I go back to the netherlands and i come over with a set of new movies i got in the US, most people i go to visit won't let their kids watch the movies. If i brought back a normal film from The Netherlands people in the US would be disgusted, and probably sue the crap out of me.

We were all born naked, it is our natural bodies. What is wrong with that?

Re:Two words

[shird]

I expect a nasty IM virus someday.

I dont. There was a recent gdiplus bug which allowed arbitrary code to be executed through just viewing an image. This could be exploited through MSN messenger with no interaction on part of the user.

So wheres the virus? There is none, because MS just has to block that client and force people to upgrade to connect. Centralisation can be a wonderful thing sometimes.