Forgot your password?
typodupeerror
Google Businesses The Internet

Google 302 Exploit Knocks Sites Out 410

Posted by CmdrTaco
from the that-hurts-me dept.
clsc writes "The exploit: Redirect via 302 to another page of your choice, then watch as the URL of your redirect script replaces the URL of that carefully selected page in Google's search results. Once this happens, feel free to redirect any visitor that is not Googlebot to any other page of your choice. Also applies to other search engines as well (not Yahoo! though)."
This discussion has been archived. No new comments can be posted.

Google 302 Exploit Knocks Sites Out

Comments Filter:
  • Yikes! (Score:5, Funny)

    by LinuxGeek (6139) <djand@nc.gmail@com> on Tuesday March 15, 2005 @09:18AM (#11942420)
    Web wide malware. The return of Goatse cannot be far behind... Pun intended.
  • danger! (Score:2, Funny)

    by Neuropol (665537)
    #15) Optional: For mischievous webmasters only: For any other visitor than "Googlebot", make the redirect script point to any other page free of choice.

    heh. tubgirl abounds!
    • Re:danger! (Score:3, Funny)

      by Klar (522420)
      *puke*

      hah, someone wrote the address to that site on the board in our computing lab in permanent ink. Was funny to see how many people went to it.
  • Splendid (Score:5, Insightful)

    by Netsensei (838071) on Tuesday March 15, 2005 @09:23AM (#11942444) Homepage
    1. post how to generate more traffic to one's website by exploiting a flow in google on /.
    2. show a "random" ad (336px by 280 px) promoting 'google adsense' clearly stating "how to turn your website into a revenue generator in minutes" at said post.

    ...

    3. $$$
  • goog (Score:5, Funny)

    by kloidster (817307) on Tuesday March 15, 2005 @09:23AM (#11942447)
    SELL SELL SELL SHORT!!!!
    • Re:goog (Score:5, Informative)

      by _Sharp'r_ (649297) <sharper@booksun[ ... m ['der' in gap]> on Tuesday March 15, 2005 @01:46PM (#11944725) Homepage Journal
      I know you are joking, but this problem pre-dates the IPO.

      The basic issue is that not only can purposeful individuals kick you out of the serps with a simple 302 from a higher pagerank page, but people who use 302 redirects to track outgoing links from their site (and several content management software packages do this by default) can accidently do the same thing and there isn't anything the real webmaster can do about it.

      It's been discussed in much greater detail in a thread at webmaster world [webmasterworld.com] for a while, as well.
  • yawn (Score:5, Funny)

    by evenprime (324363) on Tuesday March 15, 2005 @09:23AM (#11942448) Homepage Journal
    boy, sending me to the wrong page is such a scary and horrible thing to do. Luckily my browser came equipped with the special "back button" anti-malware plugin.
    • Re:yawn (Score:2, Insightful)

      by Chris Kamel (813292)
      it will be when your 14 year old boy searches for something for his research paper and gets redirected to pr0n instead.
      • Re:yawn (Score:5, Funny)

        by R.Caley (126968) on Tuesday March 15, 2005 @09:28AM (#11942476)
        it will be when your 14 year old boy searches for something for his research paper and gets redirected to pr0n instead.

        God knows, 14 year old boys need to be tricked to make them look at porn.

        • Re:yawn (Score:5, Funny)

          by Anonymous Coward on Tuesday March 15, 2005 @10:28AM (#11942893)
          "I swear Dad, I was just looking up stuff for my... uh... research paper, when suddenly, I was redirect to goatse!"

          "That's fine, but why is that wine bottle shoved in your ass?"

          "It was a one in a million shot, I tell ya..."
        • Re:yawn (Score:5, Insightful)

          by ShamusYoung (528944) on Tuesday March 15, 2005 @11:57AM (#11943547) Homepage

          Porn doesn't always mean nice shots of bare-breasted hotties. It ALSO can mean "married lactating grandmas doing their first anal with an underage donkey!"

          If someone is doing a malicious redirect, I expect they would rather show you the latter and not the former. In either case, viewing ANY porn image can get you fired or otherwise in trouble in the right (wrong) situation.

          Someone mentioned using the BACK button. Great thinking, assuming you know you've been redirected. If the page looks right and behaves properly, how many people will notice they have been redirected to www.nat1onalbank.com, and enter their personal info. Ooops! Oh well. The BACK button can let me take back my password, right?

          Right?

      • Re:yawn (Score:3, Insightful)

        by Ziviyr (95582)
        Gotta be nuts to let kids roam unsupervised about the net.
      • Re:yawn (Score:5, Insightful)

        by Anonymous Coward on Tuesday March 15, 2005 @09:45AM (#11942581)
        I don't know if you're a father or something, but I was less than 10 years old when I first looked at porn and it was love at first sight! That did not make me a sick pervert: I'm a engineer now and I don't regret a second having looked at porn magazines in my youth.
      • Re:yawn (Score:2, Funny)

        by Gruneun (261463)
        it will be when your 14 year old boy searches for something for his research paper and gets redirected to pr0n instead.

        Is that what he told you? "No, Dad, I was just trying to do a research paper. I had nothing to do with it!"
      • Re:yawn (Score:5, Insightful)

        by MadMartigan2001 (766552) on Tuesday March 15, 2005 @10:07AM (#11942719)
        Hmmm, lets see if we can calculate this...

        Research paper = good
        Porn = bad
        Young boy = Becomming a sexual being

        Grand total = Neurotic young man who feels guilty for acknowledging his sexual feelings.

        Why is it so hard for some people to acknowledge the simple fact that young people of all ages have sexual feelings that are natural. And to repress those feelings and smother them in guilt is a very very damaging thing to do.

        OH ya, I forget, all the fundamentalist (pick any religion) know exactly how we are all supposed to feel. Excuse me while I go puke!
        • Re:yawn (Score:5, Insightful)

          by lpangelrob2 (721920) on Tuesday March 15, 2005 @10:53AM (#11943045) Journal
          Is mentioning porn = good and fundamentalist religion = bad the way to get modded up here now? Odd. Allow me to balance this rant.

          Sex is good. Frankly, sex is great. Honestly, it's one of the best things that I've ever experienced. :-) And since it is great, these vague notions of "fundamentalist religions" that you cite never actually say "sex is bad". They do put conditions on sex, but it's up to the individual to follow them and I get the impression you aren't bound by these conditions in any event.

          Porn is porn. I'm not really going to put any moral value to it, but if you can watch it without unhealthily raising your expectations for real world women, or if you can be with real world women at that point without thinking of the porn... more power to you. Some couples say it helps their sex life, but then who are you really making love to? Your spouse or your fantasy?

          There are a couple thousand different ways this conversation can go from here (including offtopic :-) but I'll quit for now.

          • Re:yawn (Score:5, Insightful)

            by MythoBeast (54294) on Tuesday March 15, 2005 @11:40AM (#11943407) Homepage Journal
            I hate to be the one to break this to you, but most people fantisize during sex. Men and women both.

            Porn doesn't raise people's expectation of the habits of real women any more than romantic movies raise women's expectations of real men. They do a little, but then again there are a few real men and women who take a clue or two and get ideas from these media in order to help please their spouses, girlfriends, whatever.

            As far as 14 year olds seeing porn is concerned (trying to get a little bit on topic), I'm firmly convinced that our country's simultaneous demonization and glorification of sex is one of the things that makes kids curious about it. I really wish that both groups would just stop it and start teaching children about sex as a natural human function that needs to be performed with caution and discression.
          • Re:yawn (Score:5, Insightful)

            by Civil_Disobedient (261825) on Tuesday March 15, 2005 @12:40PM (#11943987)
            if you can watch it without unhealthily raising your expectations for real world women, or if you can be with real world women at that point without thinking of the porn... more power to you.

            And if you can't, you'll probably have trouble getting/maintaining a real-life GF, which will make you d/l more porn, etc. ad. infinitum.

            But so what? People can choose all sorts of ways to make themselves unappealing to the opposite sex. Maybe the moral majority should start a campaign against leisure suits.
          • Re:yawn (Score:5, Insightful)

            by robertjw (728654) on Tuesday March 15, 2005 @02:03PM (#11944927) Homepage
            And since it is great, these vague notions of "fundamentalist religions" that you cite never actually say "sex is bad".

            Even though we are in serious OT territory here, I thought I would throw my two cents in. Before I start, let me make it very clear that I am a member of a "fundamentalist religion", I grew up Methodist, and have been part of a non-denominational congregation since I was 15. That said, I don't completely agree with everything the fundamentalists believe, and sex is one of the items at the top of the list that I have issues with.

            Fundamentalists may not teach the "sex is bad", but they do strike a serious fear of sex in the minds of all of their teenagers. I grew up believing that having sex outside of marriage is probably the worst sin you could commit. Now I personally don't think teen sex is a good thing, really, who wants a baby at 17, but the church tends to go so far that they create (as anothe poster commented) this air for mystery about the whole thing. The church I went to often discouraged dating, kissing, being alone with someone of the opposite sex, anything that could possibly lead to sex. The problem with this is it also screws up much of a kid's psychological and sexual maturity. If you follow their rules, you never gain the experience needed to be succesful in relationships down the road. If you don't you are an outcast and a bad kid.

            Why do you think that the Christian church in America has a higher divorce rate than the general population? These kids are taught that you have to be married to have sex, and it's evil to date, so they get married at 18 to the first nice christian girl the find, just so they can sleep together. Five years they figure out that they really don't like each other, or one of them wants to go sow some wild oats, so they get divorced. I've seen in many times.

            I don't know what the right answer is, but the fundamentalist church is alienating itself from the common man by focusing on issues that either aren't important, aren't a sin or just aren't worth fighting about. They focus on things like sex, drinking, smoking, bad words and homosexuality, but ignore things like lying, cheating, stealing, and greed.
            • They focus on things like sex, drinking, smoking, bad words and homosexuality, but ignore things like lying, cheating, stealing, and greed.

              Sometimes they don't ignore those bad things, but embrace them. Remember the Jim and Tammy Faye Baker scandal?

            • Re:yawn (Score:5, Insightful)

              by d34thm0nk3y (653414) on Tuesday March 15, 2005 @03:55PM (#11946071)
              I am a member of a "fundamentalist religion", I grew up Methodist, and have been part of a non-denominational congregation since I was 15. That said, I don't completely agree with everything the fundamentalists believe,

              Then you are not a fundamentalist. Nor would I consider a "non-denominational congregation" a fundamentalist church in general.

              Is mentioning porn = good and fundamentalist religion = bad the way to get modded up here now? Odd..

              As for the GP the answer is yes because it is true.
        • Re:yawn (Score:5, Insightful)

          by john.mull (790526) <john.mullNO@SPAMgmail.com> on Tuesday March 15, 2005 @10:54AM (#11943049) Journal
          [diatribe]

          Having the feelings is natural. Natural as in God gave them to us as a part of our physical being. There might be debate as to whether they are there for procreation only, which depends on your version of extremism. However, the feelings ARE natural and purposefully put there.

          That does NOT mean that they should be acted on. As a fallen creature, we also have the urges to lie, cheat, steal, hurt others, and even hurt ourselves. These tendencies are seen negatively and should be. We do need to edit our responses to our feelings, sexual or not.

          Choosing to feel how I want - now that's complete freedom. Unfortunately, we aren't given that freedom. Instead, we choose between right and wrong. A moral choice based on morality which can not be defined independly from God.

          [/diatribe]

          End product? Surpression is not the only alternative to acting on them. Elimination of temptation is a good way also. Don't watch that National Geographic special on that lost Amazon tribe. Don't buy the Sports Illustrated swim suit edition. (You should have seen the look on the Best Buy cashier's face (a guy), when I demanded that he remove the SI software/magazine display from the counter. It was offensive. He thought I was kidding. I was not. It was a priceless look.)

          You can choose to avoid the temptation. Divert your eyes. Divert your thoughts. What are the guidelines? Not mine to say, but it can be done.

          john.mull
          • Re:yawn (Score:4, Insightful)

            by MadMartigan2001 (766552) on Tuesday March 15, 2005 @11:58AM (#11943552)
            "we also have the urges to lie, cheat, steal, hurt others, and even hurt ourselves"

            Sorry, I do not have those feelings. If you do, you should seek help. What your feeling is not natural, nor is it healthy. And scariest of all, when talking about natural sexual desire, you use the analogy of "lie, cheat, steal, hurt others" as examples of similar human behavior. Now that, is really the telling part of your views about sexual desire, creepy.

          • Re:yawn (Score:3, Funny)

            by ltbarcly (398259)
            I base my morality on the teachings of the tooth fairy.
          • Re:yawn (Score:4, Informative)

            by Guppy06 (410832) on Tuesday March 15, 2005 @03:05PM (#11945551)
            "I demanded that he remove the SI software/magazine display from the counter."

            Best Buy owned the magazine stand, the counter, the time of the person you were outright harassing, the building the exchange took place in, the merchandise you were holding in your hand until you handed over your money for it... in short, it's their private property! If you don't like it, go away!

            I'm no fan of T&A magazines, if for no other reason than because it's a lame and overused marketing gimimck. But you ask someone to change what they're doing in their own store, you do not demand. And if they say "no," that's the end of the matter. You have no right to dictate the lives and decisions of other people, no matter what your religion may tell you.

            "Divert your eyes. Divert your thoughts."

            Do what you will with your eyes and thoughts. Leave mine alone.
          • Re:yawn (Score:5, Insightful)

            by snorklewacker (836663) on Tuesday March 15, 2005 @03:14PM (#11945643)
            Wow, thank you for that eloquent summation. It so well summarizes what I was taught, what I believed, and why I later repudiated utterly the entire belief and community that reinforced this warped worldview.

            You want to remove your temptations? Stay the fuck home and leave the rest of us alone then.
        • Re:yawn (Score:5, Insightful)

          by BoomerSooner (308737) on Tuesday March 15, 2005 @10:54AM (#11943055) Homepage Journal
          Because we live in Conservative America where a breast is a horrible blight on society. I love going to Europe where shower commericals show nude women and noone seems to give a shit. Not to mention people on the beaches.

          What the fuck is wrong with people in this country. Oh yea, sex is evil & a sin if it's not for procreation. Religion is the root of all evil.
      • Re:yawn (Score:5, Funny)

        by VanillaCoke420 (662576) <.vanillacoke420. .at. .hotmail.com.> on Tuesday March 15, 2005 @10:26AM (#11942880)
        As a former 14 year old boy I can only say that if I had internet at that age, I would not need to be tricked into going to those websites...
      • Re:yawn (Score:5, Funny)

        by NanoGator (522640) on Tuesday March 15, 2005 @12:30PM (#11943887) Homepage Journal
        "t will be when your 14 year old boy searches for something for his research paper and gets redirected to pr0n instead."

        "Son! What are you looking at? Is that ... Porn!?!"

        "I told you! I'm working on a report!"

        "With naked women?!"

        "It's a History report, so I hit the History button on your computer!"
    • Re:yawn (Score:5, Funny)

      by goldspider (445116) <{ardrake79} {at} {gmail.com}> on Tuesday March 15, 2005 @09:28AM (#11942473) Homepage
      Obviously you've never tripped a well-concealed Goatse landmine. No browser is equipped to deal with that kind of damage!
      • Re:yawn (Score:2, Interesting)

        by LiquidCoooled (634315)
        Actually, Lynx [browser.org] is.

        But then again, I'm just being pedantic.
        This hijacking thing is becoming a real PITA, and his recommendations to the search engines at the end of the article are reasonable.

        The fix i personally recommend is simple: treat cross-domain 302 redirects differently that same-domain 302 redirects. Specifically, treat same-domain 302 redirects exactly as per the RFC, but treat cross-domain 302 redirects just like a normal link.
        • Re:yawn (Score:2, Funny)

          by EvanED (569694)
          I don't think Lynx is "equipped" to deal with that so much as not equipped to do anything else on the web ;-)
    • Fake Banks (Score:4, Insightful)

      by Anonymous Coward on Tuesday March 15, 2005 @09:30AM (#11942481)
      The use of the exploit isn't just to childishly send people to Goatse - it's about money. What happens when you go to your bank's website and get redirected to an identical-looking website that steals your information?
      • Re:Fake Banks (Score:5, Interesting)

        by SmurfButcher Bob (313810) on Tuesday March 15, 2005 @09:38AM (#11942526) Journal
        You need to OWN the site that was searched. This is no different than keyword bombing tricks of old; it is merely a bait-and-switch.

        Not news.
        • Re:Fake Banks (Score:5, Informative)

          by That's Unpossible! (722232) * on Tuesday March 15, 2005 @10:04AM (#11942705)
          You need to OWN the site that was searched. This is no different than keyword bombing tricks of old; it is merely a bait-and-switch.

          Not news.


          I agree it's old, even the guy that wrote the article admits it goes back a few years. But you are wrong about how it works. These aren't just extra pages ... these pages can actually REPLACE yours in the search results, since Google sees the two pages as duplicates of each other, but doesn't realize it has been "tricked."
      • I, for one, have a hard time feeling any mercy for the perpetrators of such crime.
        Tie the (unambiguously) guilty to a post, give each victim one rock.
        Not exactly a modern, liberal answer, but the question remains: does disapassionate, white-collar crime deserve mercy?
        Hang 'em high, say I.
      • Re:Fake Banks (Score:4, Informative)

        by Taladar (717494) on Tuesday March 15, 2005 @09:40AM (#11942545)
        You can do nothing with this that couldn't be done better with DNS Spoofing so it is not as if the problem was a new one...
        • I agree that the problem is not a new one. However, think about the following scenario:

          • A malicious user registers a dozen domain names using various incorrect spellings based on the name of some bank (typosquatters).
          • For a while, all of these fake domains redirect to the real bank.
          • The Googlebot indexes all of them and eventually one of these sites replaces the official web site at the top of the Google results (according to the "duplicate removal" described in the article).
          • Once the malicious user sees
          • Re:Fake Banks (Score:3, Insightful)

            by vperez (162398)
            Anyone who uses Google to search for their bank instead of getting the URL from their bank statement needs to be taught better.

            Users need to be a lot less trusting of things online, especially if its the result of a search.
          • I agree that the problem is not a new one.

            I am really struggling to work out what the fuss is about, the original article is incoherent.

            The alleged attack appears to rely on certain search engines assigning a page rank to the content as opposed to the URL used to reach the content. This would mean that if I look at the top page in a google search, and publish an exact copy then when the search engine indexes my page google will point to my link 50% of the time. This allows me to hijack a page rank and t

        • Re:Fake Banks (Score:2, Insightful)

          by jwin1020 (148430)
          Of course hacking the root DNS servers is just a _little_ harder than putting up a web page with a redirect.
      • Re:Fake Banks (Score:5, Insightful)

        by millette (56354) <robin@nOspaM.millette.info> on Tuesday March 15, 2005 @09:41AM (#11942550) Homepage Journal
        euh, ssl certificates ?
        • Re:Fake Banks (Score:3, Insightful)

          by Donny Smith (567043)
          > euh, ssl certificates ?

          Errr, SSL certs what?

          Once you get directed to a fake site, you can SSL all you want.

          99% of people NEVER check SSL certificates but instead choose to continue encrypted access because that's the easiest thing to do.

          And not to mention that most (financial enterprises excluded) SSL sites are self-signed, so there's no fucking point of looking at that crap anyway (morons who run unimportant mailing list archives on HTTPS instantly sprint to mind).
      • What happens when you go to your bank's website and get redirected to an identical-looking website that steals your information?

        You get what you deserve for going to your bank via Google?

        • Re:Fake Banks (Score:2, Informative)

          by kryonD (163018)
          "You get what you deserve for going to your bank via Google?"

          I use google all the time if I'm on someone else's computer since my bank has a strange URL.

          However, if you search for say "Chevy Chase Bank" and then click on a link where the address clearly has nothing to do with Chevy Chase...well, Darwin had some things to say about that.
      • What happens when you go to your bank's website and get redirected to an identical-looking website that steals your information?

        Jesus! I sure hope people aren't using a search engine to find their bank's website. The horror!
    • Re:yawn (Score:3, Funny)

      by fshalor (133678)
      Just as long as M$ or someone else doesn't patent the use of the "back" button for evading this sort of ware attack. All it would take was calling it the anti-malware function or something, and we're tanked.

      I'm sure google will straighten themselves out in a few days. It's what they do. :)
  • by Anonymous Coward on Tuesday March 15, 2005 @09:23AM (#11942449)
    Insert MS blame here
  • Yessir, whatever you say sir. I don't think Slashdot should be so commanding; we're going to have a legion of nerds who actually think that CmdrTaco wants them to do this because of the way it's written. Hehe.
  • The dark path (Score:2, Insightful)

    by lanc (762334)

    sure. Do some 302 redirect-statistic-hack. Make money. Cheat your customers. No it's no excuse that other ones are doing it as well, bad attitude.

    We are the Borg of LiarMarketing. Resistance is futile, human.

    come on - get a life, be straight.
  • by sinator (7980) on Tuesday March 15, 2005 @09:25AM (#11942459)
    Oracle 9iAS and 10gAS are VERY heavy on the 302 redirects (as a way to moderate traffic using mod_oc4j).

    Most of the redirects are innocuous, for example with an application whose context-root is /foo, you'd see a redirect from http://www.example.com/foo to http://www.example.com/foo/, but I can see this product borking up search results as its use becomes pervasive in the enterprise.

    Since the product can't be changed, I'd probably change Google's behavior.
    • Maybe its just me, but if the 302 is to a different domain, do you have to assign it across?

      I see lots of 302s used for country shifts e.g. a French visitor is shifted from www.foo.com to fr.foo.com, but its under the same domain foo.com.

      For the ones shifted to other domains, does it matter if you ignore the 302 and take visitors directly to fr.foo.com?

  • WTF (Score:2, Interesting)

    How is this hijacking? How is this any different from me simply adding the text and title of the other page to my page? Sure, I can change the redirect later, or change it for anyone except for googlebot, but I can do that with the content just as easily (more easily, in fact).

    Furthermore, I suspect google has at least a few bots which don't announce themselves as googlebots just to check for such discrepancies.

    • Re:WTF (Score:5, Insightful)

      by LiquidCoooled (634315) on Tuesday March 15, 2005 @09:40AM (#11942547) Homepage Journal
      If the googlebot scans the redirected page and assigns weights based on the end result page, but assigns the ranking to your original page, then you are essentially stealing pagerank from the proper host.

      That is my understanding of the problem, and part of the reason why redirects appear to get higher rankings than simply copy and pasting somebodies content.

      As for covert googlebots, I'm sure they exist as R&D items, but doubt they would be setup in the manner you describe.
      • If the googlebot scans the redirected page and assigns weights based on the end result page, but assigns the ranking to your original page, then you are essentially stealing pagerank from the proper host.

        Since no physical property is involved don't you mean "you are essentially copyright infringing pagerank from the proper host"?

        Hang on a minute, that doesn't sound right ...

    • Re:WTF (Score:5, Informative)

      by gl4ss (559668) on Tuesday March 15, 2005 @09:43AM (#11942565) Homepage Journal
      from tfa:
      *it allows a hijacking website to replace pages belonging to target websites in the Search Engine Results Pages*

      that's what it does. think about it for a while. sure they could have protection but at the time it seems they DO NOT.

      *What does it look like?
      The Search Engine Results Pages ("SERPs") will look just like normal results to the searcher when a page hijack has occured. On the other hand, to a webmaster that knows where one of his pages used to be listed, it will look a little different. The webmaster will be able to identify it because (s)he will see his/her page listed with an URL that does not belong to the site. The URL is the part in green text under listings in Google.*

      a lot of people use google as a sort of bookmarks page(with keywords they remember), potentially this could hurt them. what it more likely happens if it isn't fixed is that advertisers start to pollute the results even more, eventually leading google to be useless.

      • Re:WTF (Score:4, Funny)

        by slimak (593319) on Tuesday March 15, 2005 @10:03AM (#11942689)
        a lot of people use google as a sort of bookmarks page(with keywords they remember)

        I didn't even realize that I did this until I read your post. Not that anyone cares, but I only have 4 or 5 regular bookmarks; the rest of the pages I need to goto I either a) remember because the url is so easy or i go there so much (e.g., slashdot, orderyourrussianwife.com, etc) b) do a search for them as needed (e.g. martin vetterli's homepage), or c) use the url auto-complete in the browser.

      • by zeath (624023)
        people use google as a sort of bookmarks page(with keywords they remember)

        Keyword-driven bookmark system? Sounds like a patent you'd read about in a /. article being used as a bully tactic against high-volume barely-applicable products.
    • It is hijacking because you can switch any page (i.e. the page ranked #1 for 'online poker') with the URL of your choice. i.e. your URL will be in the #1 position.

  • Seems like (Score:4, Funny)

    by kc0re (739168) on Tuesday March 15, 2005 @09:27AM (#11942468) Journal
    Seems like all the hackers are struggling now-a-days. There are no "good" exploits coming out anymore. No directory Unicode transversals.. No Code Red, No Nimda. Not even SQL Slammer...
    We haven't had a good exploit/0day in how long? Since the Webdav exploit? Or the RPC DCOM? Now we have to use Google, phishing techniques, and URL redirection. We are scraping the bottom of the barrell apparently.
    • Two words (Score:2, Insightful)

      by Anonymous Coward
      Windows firewall.

      Windows firewall apparently put the rubber on any bugs out there spreading rapidly. Don't lose all hope though there's plenty of viruses that can spread the old fashioned way, through email and MSN. Not even by exploiting vulnerabilities, just by suckering people.

      "Visit this URL and download and run this cool file"

      I expect a nasty IM virus someday.
      • Re:Two words (Score:3, Insightful)

        by shird (566377)
        I expect a nasty IM virus someday.

        I dont. There was a recent gdiplus bug which allowed arbitrary code to be executed through just viewing an image. This could be exploited through MSN messenger with no interaction on part of the user.

        So wheres the virus? There is none, because MS just has to block that client and force people to upgrade to connect. Centralisation can be a wonderful thing sometimes.
  • Follow the advice (Score:2, Insightful)

    by Redwin (805980)
    In the article is says:

    "For this to happen, we need to put some pressure on the search engines."

    Such as posting it on /. I'm sure that would create attention!
  • by Buran (150348) on Tuesday March 15, 2005 @09:34AM (#11942506)
    A site registered and hosted using stolen funds from my credit card is still online following phoned and faxed demands for revocation and refund sent to the registrar/host. Can I somehow use this to send an entire domain to a black hole until the hosting/domain are revoked? It wouldn't be hacking, but it would make me feel a lot better to see the scammers knocked offline. If no one can get to them on google, they can't get any scam income. And what are they going to do -- sue me? That just would result in my slapping them with *criminal* charges as well as a motion for dismissal and a countersuit.
    • A site registered and hosted using stolen funds from my credit card is still online following phoned and faxed demands for revocation and refund sent to the registrar/host. Can I somehow use this to send an entire domain to a black hole until the hosting/domain are revoked?

      No, only posting their link on Slashdot would have that effect.
  • by G4from128k (686170) on Tuesday March 15, 2005 @09:35AM (#11942512)
    In the Google example shown in TFA, its "easy" to spot a hijack by looking at the URL. But if Google or other search engines were to support IDN (Internationalized Domain Names), then it would be even easier for a criminal to hijack a bank's login page with the IDN browser exploit [slashdot.org].
  • No 302? (Score:2, Informative)

    by Anonymous Coward
    Sheesh. What a description. Couldn't he just say:

    Create page that, when accessed by Googlebot, creates its own HTTP connection to a different, highly ranked page, and returns its contents to the Googlebot, but retuns your contents to everyone else than Googlebot.

    Ooops - no 302 needed? Houst^H^HGoogle, we have a problem.
  • Fun (Score:5, Interesting)

    by stang7423 (601640) on Tuesday March 15, 2005 @09:39AM (#11942534)

    Wow. That's a fun exploit... I can't wait to go tell my boss why our site links to a pron site on google.

    All kidding aside this could be a major problem for some of the more controversial websites. Akin to the Googlebombing [slashdot.org] that was just mentioned yesterday this could be the next major attack scheme on the net. Imagine a pro-life site subverting a pro-choice site, Neo-nazi's subverting a site intended for Jewish children, the US government subverting Al Jazera...

    Not a whole lot of fun IMHO. I trust google to return what I search for, if this changes I and a whole lot of other nerds are going to be left wandering aimlessly around the net.

    • Duplicate content (Score:2, Interesting)

      by tfountain (619557)

      I've seen this effects of this first hand and it's a slightly nastier problem than people realise.

      It's not uncommon for search engines to penalise sites for duplicate content, i.e. identical content on multiple domains. So with this problem all it takes is a couple of other sites to link to you, completely innocently with a 302, and *bang*, your site disappears down the listings.

  • well i guess this could be good news for the blogging google bombers..... http://slashdot.org/article.pl?sid=05/03/15/003522 5&tid=217&tid=1 [slashdot.org] they might actually get something done about the spam.
  • Further Reading (Score:5, Informative)

    by mike2R (721965) on Tuesday March 15, 2005 @09:41AM (#11942554)
    The main thread about this on WebMasterWorld [webmasterworld.com] is over 500 posts now.. lots of good info there.
  • Bollox (Score:2, Insightful)

    by pgregg (185457)
    It doesnt replace the URL at all. My reading is that google simply adds a new page in the database for the url you gave it. In this regard, how is this any different to a wget --mirror on the attempted "hijacked" site? Maybe more efficient but the net result is you are just trying to blag google hits of someone else's content.

    PageRank _should_ sort this out as I'm sure lots more people will be linking to news.bbc.co.uk than to r.example.tld/foo/rAndoMLettERS (from the example).

    Storm in a [child's] te
    • Re:Bollox (Score:3, Insightful)

      by julesh (229690)
      My understanding is that it adds the PageRank of the page you redirect to, and applies it to your site. So, you appear in the listing right next to the site you linked to, above it if you have a pagerank of your own to add. If you just copied the content, then you'd end up with your own page rank only, throwing you down at the bottom of the list somewhere...
    • Re:Bollox (Score:4, Informative)

      by Patrick13 (223909) on Tuesday March 15, 2005 @11:13AM (#11943182) Homepage Journal
      It doesnt replace the URL at all. My reading is that google simply adds a new page in the database for the url you gave it. In this regard, how is this any different to a wget --mirror on the attempted "hijacked" site? Maybe more efficient but the net result is you are just trying to blag google hits of someone else's content.

      PageRank _should_ sort this out as I'm sure lots more people will be linking to news.bbc.co.uk than to r.example.tld/foo/rAndoMLettERS (from the example).

      Storm in a [child's] teacup.

      I have seen this exploit used in a variety of ways.

      For instance, this kind of redirect could be used to highjack Amazon.com - the user types in Amazon into a search box, sees the title and snippet that matches amazon, clicks it, the hijacker gets affiliate commission credit for sending people to amazon.com.

      Basically the 302 link makes the linking site appear to host the target site's page, and it replaces it in the search results.

      You can pretty much do it for any site. In the case of Amazon, they'd likely void your affiliate commissions - if they noticed (which they would eventually) but if you did it for a few days before, say, Christmas, and took it down after it worked, you might net 8 - 15K in a single day.

      Another danger is a malicious site whose redirect page sniffed for JavaScript. User Agents with JS deactivated would redirect straight to, say, CNN, if the UA accepted JS, it could start loading one of the many spyware "tools" that forcefeed affiliate tracking cookies into the user's computer, or much worse.

      There are tens of thousands of searches for "cnn.com" in the search engines a day - even if the highjacker was able to only replace CNN for a day, the harm would be widespread.

      Unfortunately, the Google PageRank is not considered when ranking the sites, as Google basically considers www.example.com/302.php?www.cnn.com to actually be www.cnn.com - it will show CNN.com's backlinks when your query backlinks for the hijack url, for example.
  • by manmanic (662850) on Tuesday March 15, 2005 @09:46AM (#11942590)
    "Sometimes the target page will win, sometimes the redirect script will win. Specifically, if the PageRank of the target page is lower that the PageRank of the hijacking page, it's most likely that the target page will drop out of the SERPs"

    This means that you can't reliably hijack the page unless you have a higher PR than it. But if you have a higher PR than that page then could just as well copy its content, then wait till you're spidered, then substitute for whatever you want.

    In other words, this is nothing more than another way to exploit two existing problems: (a) that you can steal anyone's content on the web (though see this [copyscape.com] for a way to detect it) and (b) you can cloak your site for the search engines (though I'm sure they notice that too).

    In summary, there is nothing new in this whatsoever.

  • by Snaller (147050)
    ...a webmaster can redirect people on his own site? Wow, the horror. (You can't place redirects on someone elses pages)

  • by bigtallmofo (695287) on Tuesday March 15, 2005 @09:50AM (#11942616)
    Anyone that wants to steal your traffic can take advantage of this. Nearly all the sites that I have created in the last year have been purposely hijacked by this and don't show up in any Google rankings. I've learned to live with it despite contacting the jerk responsible who pleaded innocent and said he wasn't very technical and didn't know what was going on.

    Historically, good content meant good search engine placement. Now that this little trick is being more publicized, it just decreases the amount of time required for someone to hijack your entire site and remove it completely from the search engine results.
  • Wait... (Score:5, Funny)

    by zBoD (86938) <BoD@JRAF.org> on Tuesday March 15, 2005 @09:59AM (#11942665) Homepage Journal
    Do you mean this is not www.kuro5hin.org ??
  • by eno2001 (527078) on Tuesday March 15, 2005 @10:01AM (#11942674) Homepage Journal
    ...if I COULD get to the page. But it's being redirected with a 302. ;P
  • by Junior Samples (550792) on Tuesday March 15, 2005 @10:06AM (#11942713)

    I've noticed that a lot of my google searches get redirected to an Ebay search page even though the displayed url in the search results is a non-ebay url. I checked the Google cached result and it was not the same as the re-directed page.

    It's very annoying as I haven't been able to figure out what is going on. The same Ebay search results show up under dozens of urls in the Google search results

  • by Anonymous Coward on Tuesday March 15, 2005 @10:41AM (#11942967)
    There seems to be a lot of confusion as to why exactly this is such a big deal. A lot of people saying there's no problem or that this is nothing... basically just not understanding the issue. Let me explain:

    Suppose you have a small business under the domain http://xyz.com/, and search engines bring you a lot of traffic because you rank high for keywords in your market. You have a lot of people out there linking to you, a lot of satisfied customers, good content on your site. You're always in the top 10 somewhere when people search for "xyz widgets".

    Well, this issue with Google makes it very easy -- incredibly easy -- for someone to knock your site out of the rankings entirely. And I mean for *everything*, to where searching for your own company name in quotes literally buries you hundreds of pages deep in the results. We're talking sites going from getting 1000 unique hits to 10 overnight.

    And here's the kicker: It requires absolutely no technical knowledge, no time investment, and is perfectly legal...

    All I have to do is have another domain handy that is roughly as popular as yours. And I make a "links" page, like one of those directory services, that lists your website. But instead of being a normal hyperlink, it's a CGI (or PHP or ASP or whatever) script that generates a 302 redirect to your domain... Now, these are very simple, common scripts. One-liners that you can download from cgiscripts.com and stick on your server. The original intent of these scripts is to track which links are being clicked on your site. But now they've found a new use, because when Google gets that 302, all hell breaks loose.

    See, according to the HTTP spec, 302 is a *temporary* redirect, which means Google is supposed to interpret whatever content it finds at the 302 target (your site) as really belonging to the URL of the source (my site). Google is just obeying the spec strictly here, and with devestating results. Why? BECAUSE THE DUPE FILTER NOW KICKS IN! You see, Google has a "dupe filter" that says if the same exact content is found for two unique URLs, then one of the URLs is obliterated in the rankings. Because after all, searchers don't want to be finding the same content over and over. If that happens, they'll start using a different search engine. But Google, sticking strictly to the HTTP spec, doesn't know who the content really belongs to when it gets a 302.

    So Google essentially flips a coin. And if it comes up tails, say bye-bye to your domain in the rankings. Your *entire* domain. Because the dupe filter isn't limited to just the page that the 302 is pointing to -- it applies across your entire domain.

    These 302 "exit-link-trackers" are all over the web. They've been used by webmasters for years. But it's just recently that Google has started treating 302 this way, so it didn't have any bad effect before. But now it kills you.

    The funny thing is, the solution seems pretty simple: Just stop treating 302s this way if they point to a different domain. But for whatever reason Google isn't listening. Hopefully the press that's being generated now will give them the kick in the ass that they need.
  • I don't get it (Score:3, Interesting)

    by zeath (624023) on Tuesday March 15, 2005 @10:43AM (#11942979) Homepage
    I don't get it. This is all just sensationalism to me. If you play with 302 redirects, something bad might happen, but there's no way to predict it (as per the article, it's an arbitrary choice based on pagerank and other internal mechanisms). To me this is just a Google equivalent of terror alert orange.
  • It happened to me.. (Score:5, Informative)

    by Dynamoo (527749) on Tuesday March 15, 2005 @10:46AM (#11943002) Homepage
    It happened to me, and I'm sure by accident. I have a reference page that gets about 1000 hits a day.. and all of a sudden traffic dried up. It wasn't that it had gone down - Google was suddenly sending zilch.

    Well, I knew about the 302 bug (in fact, it's been known for months in professional webmaster circles).. so, I did an allinurl:mydomain.com/mypage.htm search on Google to find the culprit. Low and behold, it was some blog page about one PR below my page with a script that redirected through a 302. The catch was that this redirect script ONLY worked if you clicked on it from the blog itself - if you clicked on it from the Google SERPs you got a 500 server error.. so in effect, Google misidentified the redirect page as my actual page and then subsequently tried to spider it from the URL directly and got a 500 error.. the result being that I was dropped from the index. Was this malicious? Hardly - the webmaster had compiled a small list of cool, useful links - not knowing that his buggy redirector was killing those sites off.

    So whaddya do? I tried emailing the webmaster but everything bounced. It looks like he was out of the country. I tried giving Google feedback, but frankly that's just like offering up a prayer to the Great Google God - so I also used the BASE HREF trick mentioned in the article, and after a few days the page came back in the index as normal. So, either that trick worked or the Google God answered my prayers. I'm guessing at the former.

  • by muonzoo (106581) on Tuesday March 15, 2005 @10:51AM (#11943035) Homepage

    This "exploit" isn't very interesting and the author really doesn't seem to have a good grasp of the HTTP protocol design, the end-to-end model, or the internet in general.


    I'd be very careful before I blindly changed all my redirects to 301s. The semantics behind a 301 and 302 are VERY different and unless you want people to replace the original URI with the target in your 301s, forever, you might be entering a world of hurt.


    From RFC 2616 -- HTTP/1.1 [ietf.org]:

    10.3.2 301 Moved Permanently

    The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible. This response is cacheable unless indicated otherwise.

    ...

    10.3.3 302 Found

    The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

    ...

    This is a common theme in the high-tech world; Joe Hacker figures out a problem and a 'solution'. Problem is, they don't understand all the implications of the solution. That doesn't stop them from yelling loudly about the solution. Without a comprehensive explanation of the impact of the 'solution' you might be just causing yourself harm in other areas down the road.


    Education and thorough analysis are always a good idea when you are dealing with complex systems that might have emergent behaviors. This is certainly one of the bigger pet-peeves at the IETF [ietf.org] and with the IESG [iesg.org].

  • by marvin2k (685952) on Tuesday March 15, 2005 @10:54AM (#11943052)
    *waves hand*
    "This isn't the webpage you are looking for."
  • by Transcendent (204992) on Tuesday March 15, 2005 @03:13PM (#11945636)
    Easiest way to fix it is to not follow 302's since 302 means [w3.org] "The requested resource resides temporarily under a different URI."

    I would imagine that this could cause a problem with getting a website into the listing that is in the process of moving, but if Google simply waited until it's an actual 200 status code, then redirections would get ignored (since they're not .

    From the W3C document:
    The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

    Again, and since even the temporary URI doesn't have to be given, 302's should be ignored. Even 301's and 303's are not acceptable since the new URI doesn't have to be given.

    The harder way to fix it is to only accept 3xx response codes that give the new URI in response. Even then, I assume it's possible to still fake a 200 response code if you modify the http daemon, and make a transparent redirection... thus fooling the search engine in every respect.

    In my opinion, I don't see a way around it unless you include signature files or such... but even if you used and SSL connection, it's probably still exploitable.

    I guess you're damned any way you look at it.

If a 6600 used paper tape instead of core memory, it would use up tape at about 30 miles/second. -- Grishman, Assembly Language Programming

Working...