Google 302 Exploit Knocks Sites Out

clsc writes "The exploit: Redirect via 302 to another page of your choice, then watch as the URL of your redirect script replaces the URL of that carefully selected page in Google's search results. Once this happens, feel free to redirect any visitor that is not Googlebot to any other page of your choice. Also applies to other search engines as well (not Yahoo! though)."

Oracle Application Server

[sinator]

Oracle 9iAS and 10gAS are VERY heavy on the 302 redirects (as a way to moderate traffic using mod_oc4j).

Most of the redirects are innocuous, for example with an application whose context-root is /foo, you'd see a redirect from http://www.example.com/foo to http://www.example.com/foo/, but I can see this product borking up search results as its use becomes pervasive in the enterprise.

Since the product can't be changed, I'd probably change Google's behavior.

WTF

[anthony_dipierro]

How is this hijacking? How is this any different from me simply adding the text and title of the other page to my page? Sure, I can change the redirect later, or change it for anyone except for googlebot, but I can do that with the content just as easily (more easily, in fact).

Furthermore, I suspect google has at least a few bots which don't announce themselves as googlebots just to check for such discrepancies.

Re:yawn

[LiquidCoooled]

Actually, Lynx [browser.org] is.

But then again, I'm just being pedantic.
This hijacking thing is becoming a real PITA, and his recommendations to the search engines at the end of the article are reasonable.

The fix i personally recommend is simple: treat cross-domain 302 redirects differently that same-domain 302 redirects. Specifically, treat same-domain 302 redirects exactly as per the RFC, but treat cross-domain 302 redirects just like a normal link.

Can I use this to knock out a fraudulent site?

[Buran]

A site registered and hosted using stolen funds from my credit card is still online following phoned and faxed demands for revocation and refund sent to the registrar/host. Can I somehow use this to send an entire domain to a black hole until the hosting/domain are revoked? It wouldn't be hacking, but it would make me feel a lot better to see the scammers knocked offline. If no one can get to them on google, they can't get any scam income. And what are they going to do -- sue me? That just would result in my slapping them with *criminal* charges as well as a motion for dismissal and a countersuit.

I hope Google et al don't support IDN

[G4from128k]

In the Google example shown in TFA, its "easy" to spot a hijack by looking at the URL. But if Google or other search engines were to support IDN (Internationalized Domain Names), then it would be even easier for a criminal to hijack a bank's login page with the IDN browser exploit [slashdot.org].

Re:Fake Banks

[SmurfButcher Bob]

You need to OWN the site that was searched. This is no different than keyword bombing tricks of old; it is merely a bait-and-switch.

Not news.

Fun

[stang7423]

Wow. That's a fun exploit... I can't wait to go tell my boss why our site links to a pron site on google.

All kidding aside this could be a major problem for some of the more controversial websites. Akin to the Googlebombing [slashdot.org] that was just mentioned yesterday this could be the next major attack scheme on the net. Imagine a pro-life site subverting a pro-choice site, Neo-nazi's subverting a site intended for Jewish children, the US government subverting Al Jazera...

Not a whole lot of fun IMHO. I trust google to return what I search for, if this changes I and a whole lot of other nerds are going to be left wandering aimlessly around the net.

good news for the bombers....

[teksno]

well i guess this could be good news for the blogging google bombers..... http://slashdot.org/article.pl?sid=05/03/15/003522 5&tid=217&tid=1 [slashdot.org] they might actually get something done about the spam.

This really is a big deal.

[bigtallmofo]

Anyone that wants to steal your traffic can take advantage of this. Nearly all the sites that I have created in the last year have been purposely hijacked by this and don't show up in any Google rankings. I've learned to live with it despite contacting the jerk responsible who pleaded innocent and said he wasn't very technical and didn't know what was going on.

Historically, good content meant good search engine placement. Now that this little trick is being more publicized, it just decreases the amount of time required for someone to hijack your entire site and remove it completely from the search engine results.

Duplicate content

[tfountain]

I've seen this effects of this first hand and it's a slightly nastier problem than people realise.

It's not uncommon for search engines to penalise sites for duplicate content, i.e. identical content on multiple domains. So with this problem all it takes is a couple of other sites to link to you, completely innocently with a 302, and *bang*, your site disappears down the listings.

Google Search Results Redirected to Ebay

[Junior Samples]

I've noticed that a lot of my google searches get redirected to an Ebay search page even though the displayed url in the search results is a non-ebay url. I checked the Google cached result and it was not the same as the re-directed page.

It's very annoying as I haven't been able to figure out what is going on. The same Ebay search results show up under dozens of urls in the Google search results

Re:yawn

[Anonymous Coward]

You believed your 14 year old boy when he told you that? My kids feel the wrath of a transparent squid proxy with logging. They know I can and do watch everything they do, maybe not in real time and may not confront them immediately when I noticed sonething strange but they will get caught.

I don't get it

[zeath]

I don't get it. This is all just sensationalism to me. If you play with 302 redirects, something bad might happen, but there's no way to predict it (as per the article, it's an arbitrary choice based on pagerank and other internal mechanisms). To me this is just a Google equivalent of terror alert orange.

Nothing new?

[sphen]

A quick search on Google gave me this link:

http://www.tonyspencer.com/mt/archives/2004/12/t ra cker2php_pag_1.htm

This has clearly been documented before. I'm surprised it has not been fixed after all this time. The slashdot post and the clsc.net page gave me the impression this was something new.

Re:yawn

[chl]

Quote: [Fundamentalist religions] do put conditions on sex,...

This has to be the understatement of the month. Sex is what people very much want to do. Religions usually restrict their members to have sex with only one person ever, of the opposite sex, and only for reproduction. These are very severe restrictions that people only put up with because religions hold their eternal soul hostage, i.e. you don't do as we say, you go to hell. Most religions are guilty of this abuse, and I do not like them better for it (to put it mildly).

Quote: ...but it's up to the individual to follow them

If you do not mind being excommunicated/told you'll go to hell/publicly called a whore/stoned to death. Surely, religion has no adverse effect on people who do not obey.

chl