Google Knowledge Panel Hijack Explained

ZDNet reported that a security researcher discovered that Google’s Knowledge Panels can be manipulated. The security researcher notified Google a year ago but Google declined to patch the alleged exploit.  A possible reason may be because it’s not really a hijacking exploit.

Yet, there may be reasons why Google should consider resolving this issue.

This is not a Hijacking Exploit

The alleged hijacking exploit allows anyone to alter Google’s Knowledge Panel so that they can insert any other knowledge panel into as many search results as they wish.

Here are the search results for Who is the Best SEO? 

Screenshot of what appears to be an altered search result on GoogleScreenshot of what appears to be an altered search result that shows a fictional film character in the Knowledge Panel for the search phrase, “Who is the Best SEO?”

As you can see, I was able to use the so-called exploit to generate a search result that obviously was altered. Click here to see it for yourself.  It’s shockingly easy to do. Anyone can do it.

But it’s not really a hijack of Google’s search results.

Why it is Not a Manipulation of Search Results

The report on ZDNet claims in the title that, “Google search results listings can be manipulated for propaganda.”

While that’s technically true, there’s more to it than the headline explains.

The so-called exploit does not alter Google’s search results at Google or for anyone other than the person looking at a specific URL.

What this so-called hijack does is allow someone to play around with the URL parameters in order to generate a modified version of Google’s search results.

What are URL Parameters?

A URL parameter is code in the URL. Everything that comes after a question mark (?) in the URL is a parameter in the URL.

FATJOE Link Building Service For SEO Agencies
Thinking about switching Link Building Supplier? Try the #1 Blogger Outreach Service, FATJOE. No duplicates ever, we check your link history.

Screenshot of a browser URL bar showing an example of what a URL Parameter is. It's generally whatever comes after a question mark in the URL

The URL parameters are data that pass information to the server. Depending on how the server is set up, it can tell the server what site you clicked through from or what browser you are using. The server then uses that information to alter the search results.

In this case, the URL parameter is changed and that causes the SERP to display whatever knowledge panel you choose.

Does the Knowledge Panel Exploit Change Search Results?

Modifying the URL parameters does not alter the search results at Google itself or for everyone. It only alters the search results for the person who is altering it themself or for a person who clicks through a link to that altered search result.

Is the Knowledge Panel Exploit Dangerous?

Anything is dangerous depending on what you do with it. In itself, altering a URL is not dangerous.

Any potential danger depends on the how a malicious person might use these altered URLs. It’s possible that someone might use these URLs to mislead people.

It is an exaggeration to say that Google’s search results can be manipulated. That implies that the search results for everyone can be manipulated. That is not the case.

At best this is an amusing trick. It’s yet to be seen if someone with malicious intentions could use it for negative ends.

UPDATE 01-16-2019:

Google appears to have fixed this issue.  But the fix may cause a different issue to arise for those using MREIDs in their structured data, with a link to their Google Knowledge Panel.

The fix may inadvertently cause issues for those who were linking to their Google Knowledge Panel from within their structured data, using sameAs and a URL to a Google Machine-Readable Entity ID. This becomes an issue if the search uses the phrase, “knowledge graph search api” in it. The fix is easy. Generate a new search using  your MREID but use your entity in the search box.