A flaw was just discovered in Google’s Knowledge Graph, which makes it possible to manipulate search results. Shortly put, “by adding two parameters to any Google Search URL, you can replace search results with a Knowledge Graph card of your choice,” said Wietze Beukema, the researcher who discovered the bug. Why is the bug potentially dangerous? It could be exploited to generate false information, or the so-called “fake news”.
The researcher demonstrated the way that may enable malicious users to alter search URLs and display knowledge panels with any information really.
So, what is the Knowledge Graph bug all about?
A closer examination of Knowledge Graph shows that you can attach a Knowledge Graph card to your Google Search, which might be helpful if you want to share information provided in a Knowledge Graph card with someone else.
If you click on the share button – present on every card – you’ll be given a shortened link (a https://g.co/ address). Following this link will redirect you back to google.com with the original search query. What’s different however are the parameters used: the URL will contain a &kgmid parameter. The value of this parameter is the unique identifier of the Knowledge Graph card shown on the page.
The researcher discovered that this parameter can be added to any valid Google Search URL, and it will display the Knowledge Graph card next to the search results of the search query:
For instance, you can add the Knowledge Graph card of Paul McCartney (kgmid=/m/03j24kf) to a search for the Beatles, even though that card would normally not appear for that query.
In addition, it should be mentioned that Google also offers a way to view the Knowledge Graph card in isolation and omit the search results. This is done easily by adding the &kponly parameter to the URL. This way, Knowledge Graph card is no longer a side panel, but has moved to where you would normally see the search results, the researcher explains.
It is also noteworthy that the bug was first discussed in 2017, and it’s back in the spotlight once again. The researcher himself says he reported it a year ago. The bug raises concerns about the potential of spoofing search results:
If, for example, your search query is a question, you can now pick a Knowledge Graph card that has your desired answer and only show this desired answer. Forward on the link to someone else and you might convince them Jaffa cakes are actually biscuits. More seriously, this technique could be used for spreading false information for political or ideological gain.
How can this be prevented from happening? The researcher believes that the kponly parameter should be disabled by Google, but a better solution might be entirely removing the kgmid option.