Google Knowledge Graph Easily Spoofed To Spread Tainted Search Results

One of the most prevalent problems on the web, and especially social media, is discerning legitimate news stories from ones that are outright fake. This has led to the use (and sometimes overuse) of the term "fake news." This typically applies to full fledged articles, though it's actually really easy to manipulate Google's search results to support a false narrative.

For example, it's possible to construct a seemingly legitimate Google search URL for "Where was Barack Obama born" and have the result display Kenya, or "By whom was Donald Trump endorsed" and have the result show Pope Francis. Those are both false—Obama was born in Hawaii on August 4, 1961, and Pope Francis didn't endorse the current president of the United States.

How is this possible? Security specialist Wietze Beukema outlined in a blog post how a user could piece together a URL from different search results, and create a new one that combines them together. It essentially has to do with a flaw in Google's Knowledge Graph, which Google introduced to search in 2012 as a way of presenting users with a box of information on a searched topic.

"A closer examination of Knowledge Graph shows that you can attach a Knowledge Graph card to your Google Search, which might be helpful if you want to share information provided in a Knowledge Graph card with someone else," Beukema says.

There are Knowledge Graph cards for a wide range of search queries. Each one has a share button, and when clicked, it spits out a shortened URL.

"If you click on the share button— present on every card—you’ll be given a shortened link (a address). Following this link will redirect you back to with the original search query. What’s different however are the parameters used: the URL will contain a &kgmid parameter. The value of this parameter is the unique identifier of the Knowledge Graph card shown on the page," Beukema explains.

This is where things get interesting, and potentially mischievous. The &kgmidB parameter can be added to any search result. As an example, the Knowledge Graph card of Paul McCartney is &kgmid=/m/03j24kf. A user could take that parameter and add it to a search result for the Rolling Stones, or whatever they wanted.

By using this trick, a user can spoof a search result, and then share what looks like a legitimate URL on Facebook or Twitter, or wherever. Interestingly, this has been a known issue for at least a year. Beukema says he filed a bug report a long time ago, but it hasn't been deemed severe enough for Google to prioritize fixing.