Spoofing Google Search results

By adding two parameters to any Google Search URL, you can replace search results with a Knowledge Graph card of your choice. A malicious user can use this to generate false information or ‘fake news’.

Update - Two days after the publication of this blog post, Google seems to have fixed the issue, after TechCrunch asked the firm whether it was planning on taking any action. Although no official announcement was made, it looks like the kgmid parameter has been disabled. As a result, the flaw described below is no longer working.

Knowledge Graph

A few years ago, when you entered a search query into Google Search , you would simply get a list of search results. When you do the same now, you get all sorts of extra information supplied by Google. For instance, if you search for ‘UNICEF’, you’ll see a box next to the search results with some key facts about this organisation. This feature is called Knowledge Graph.

Google brought Knowledge Graph to its search engine in 2012 as a means to instantly get information that’s relevant to your query [1]. Whilst the information often comes straight from Wikipedia, this is not always the case - unfortunately Knowledge Graph doesn’t tell you where it got the information from. In addition, the algorithm sometimes mixes up information when there are multiple matches (e.g. people with the same name). This has lead to a small number of incidents regarding the feature’s accuracy [2, 3].

More features were introduced afterwards, such as Featured Snippets [4] and built-in answers (such as ‘what is my ip address’, ‘what time is it in Bejing’, ‘how many ounces in a gallon’, etc.). Although these features are not part of Knowledge Graph, they work in a similar fashion. As a result of all these features, users can ask Google Search questions and get an answer straight away, without leaving the search engine.

A side effect of all this is that people have effectively been trained to take information from these boxes that appear when googling. It’s convenient and quick - I have caught myself relying on the information presented by Google rather than studying the search results, and I’m sure you have too.

Screenshot of a Google Search with a Knowledge Graph card on the right. Example of a Google Search with a Knowledge Graph card on the right

Search queries and Knowledge Graph cards

A closer examination of Knowledge Graph shows that you can attach a Knowledge Graph card to your Google Search, which might be helpful if you want to share information provided in a Knowledge Graph card with someone else.

If you click on the share button - present on every card - you’ll be given a shortened link (a https://g.co/ address). Following this link will redirect you back to google.com with the original search query. What’s different however are the parameters used: the URL will contain a &kgmid parameter. The value of this parameter is the unique identifier of the Knowledge Graph card shown on the page.

As it turns out, you can add this parameter to any valid Google Search URL, and it will show you the Knowledge Graph card next to the search results of the search query. For instance, you can add the Knowledge Graph card of Paul McCartney (kgmid=/m/03j24kf) to a search for the Beatles, even though that card would normally not appear for that query.

While this can be helpful, this also means you can link up different pieces of information and give the impression they are related. Adding Paul McCartney’s Knowledge Graph card to a search query for the Rolling Stones doesn’t make much sense, but if I give this link to my friend who doesn’t know much about music, she might think McCartney was a member of the Rolling Stones. By looking at the search results however, it’s easy to find out this is not the case.

Google also offers a way to view the Knowledge Graph card in isolation and omit the search results. This can be done by adding the &kponly parameter to the URL: the Knowledge Graph card is no longer a side panel, but has moved to where you would normally see the search results. Strangely enough, the search bar is still visible with the original query, even though no search results are shown at all. This link only shows Paul McCartney’s card, but the query (still embedded in the URL) is still visible, even though it now has no relevance whatsoever with what is shown.

‘Spoofing’ a search result

These two things combined open the door to abuse: if, for example, your search query is a question, you can now pick a Knowledge Graph card that has your desired answer and only show this desired answer. Forward on the link to someone else and you might convince them Jaffa cakes are actually biscuits. More seriously, this technique could be used for spreading false information for political or ideological gain.

Examples include:

(To make it absolutely clear, the answer in the first link is subjective and the the last three answers are factually incorrect.)

Screenshot of a Google Search which seems to suggests George W. Bush was responsible for the 9/11 terrorist attack. An example of how easy it is to produce fake news using Google Search.

The point is that this allows you to trick others into believing something is true. After all, it is a legitimate Google Search link and since we have been trained to trust the answers provided by Google, there must be some truth in it, right?

To prevent people from abusing Knowledge Graph, the disabling of the kponly parameter by Google would definitely help (when would you ever just want to see a card without further context?), although in my opinion removing the kgmid option altogether would be even better.

This issue isn’t completely new - I found out about this over a year ago and even then I wasn’t the only one aware of it. What is surprising though is that the problem still hasn’t been addressed by Google. The bug report I filed about a year ago was closed as it wasn’t considered a severe enough vulnerability. I disagree: in this day and age of fake news and alternative facts, it is irresponsible to have a ‘feature’ that allows people to fabricate false information on a platform trusted by many.

Don’t be evil. Or as per Alphabet’s new motto: do the right thing.