XSS in Black Hat SEO?

About a month ago, British SEO veteran Tom Anthony exposed a vulnerability in Googlebot, which may be used by Black Hat SEO to inject links on other websites using XSS vulnerabilities and these links are proved to be crawled by Googlebot. If this vulnerability is exploited on a large scale, it will obviously affect the weight flow and search ranking.

Tom reported this vulnerability to Google last November, But so far Google has not solved the vulnerability. They say “Google’s existing protection mechanism should prevent this abuse. but the relevant team is verifying the situation.”. In addition, Google mentioned some “internal communication difficulties” when responding to Tom. Does the company have such problems when it is big?

Since Google has not taken any action for five months, Tom decided to disclose the vulnerability. The webmasters are good at checking whether their website has XSS vulnerabilities and taking precautions to prevent their websites from being injected. Google agrees that Tom will release relevant information and it seems to be quite confident.

What is an XSS attack?

XSS attacks are short for Cross Site Scripting. XSS is a code injection attack. Most websites will have some function scripts that can modify the URL arbitrarily, such as search function, UGC (user contribution content) submission function, script-oriented turn and so on. For example, the search concept, the URL is often domain.com/search.php?keyword, or domain.com/?s=keyword where the keyword can be replaced by Any character.

So what happens when the keyword part is replaced by a script? For example, domain.com/?s=<script>alert(‘XSS’)</script>. A website with such a vulnerability is that when a malicious script is injected into a URL, no security filtering is performed and the browser does not recognize that it is a malicious script, so a malicious script is executed.

XSS can be used to obtain sensitive user information and impersonate a user to make a request to the website. It can also execute scripts to insert content in the generated HTML code, which is a vulnerability that Black Hat SEO can use to inject links.

How to use XSS vulnerability to inject links into other websites

Modify the parameters in the URL. Replace them with scripts. Execute scripts in the browser. Insert content in the HTML. That is how you can insert links. Of course, if you just click on the user’s browser to display the link. The search engine will not pick up the URL and the black hat SEO will not be interested. The problem is that the Googlebot can crawl the URL of the injected script or even execute JS. So, on the other hand, the Googlebot can see the injected link as well.

If Googlebot recognizes XSS attacks like Google’s own Chrome browser. URLs with injection scripts will not be crawled at all. But according to Google’s official documentation, so far, Google spiders use the older version of Chrome 41 and Chrome 41 does not have XSS recognition. Therefore, a website with an XSS program vulnerability may be crawled by the Google spider to the URL of the injected link.

What is the potential impact on search results?

If the link injected in this way has the effect of normal link and is effective for weights and rankings. As long as it is used by the black hat SEO, it is obviously helpful to control the weight and ranking and how much potential impact on the search results?

The https://www.openbugbounty.org/ website lists more than 125,000 sites with XSS vulnerabilities, including 260 .gov government websites and 971 .edu domain sites and 195 of the top 500 most connected sites. Imagine how big the potential impact will be.

It is almost certain that Tom’s post will force Google to take active measures to fix this vulnerability. There is no way Google will allow XSS attacks to inject links become an effective SEO cheat method. If you want to try it. Try as soon as possible, it will be surely be fixed soon.

Update: Google announced at the Google I/O Development Conference on May 7th that Google Spider will use the latest version of the Chrome engine, the current version is 74 and will continue to use the latest version. It seems that Google has already prepared.