How I Hacked Google (For Good)

Is possible to insert a custom JS in the SERP? Let's go and see guys.

This is only an exercise and not intended to crack anything. I will notify Google of this possible bug to fix it soon, but this is an interesting and curious case.

Rich Snippet Testing Tool Hack

In the following image you can see a Javascript injection in the Rich Snippet Testing Tool.


In the following image the hack inside the SERP. Clicking on the breadcrumb snippet ("News dal mondo del search") you can make a Javascript Alert appears. Check it here.

The Code

The code used is a simple javascript inserted in the href of the microdata RDF definition of breadcrumbs.

You can also see it running on this page. Is also possible to define a CrossDomain Linking in the Breadcrumb, and that doesn't make a lot of sense (except for subdomains - obviously).

<div itemprop="breadcrumb" class="breadcrumb" id="breadcrumbGT2" class="top">
<span prefix="v:"><a href=""></a></span> › 
<span typeof="v:Breadcrumb"><a href="" rel="v:url" property="v:title">Magazine</a></span> ›
<span typeof="v:Breadcrumb"><a href="" rel="v:url" property="v:title">SEO</a></span> › 
<span typeof="v:Breadcrumb"><a href="javascript:alert('Here is How #QuadroQuadretti and @andreapernici Hacked the SERP!')" rel="v:url" property="v:title">News dal Mondo del Search</a></span> › 
<span typeof="v:Breadcrumb"><a href="" rel="v:url" property="v:title">Google</a></span> › 
<span typeof="v:Breadcrumb"><span class="breadcrumb_last" property="v:title">Hacking Google</span></span> </span>

Share it! Love it! And don't crack

06-12-2014 at 14:52 Update - Google Disabled Breadcrumbs Links in SERPS

After some hours Google put a temporary fix disabling the Breadcrumb Rich Snippet in some cases and removing the link on the Rich Snippet in other cases.

Look the image below. The vast majority of results lost the breadcrumbs and the only one with breadcrumbs cannot be clicked.

Breadcrumbs Gone

07-12-2014 at 9:00 Update - Google Sent Us an alert on Webmaster Tools and disabled rich snippet for all the site

After a day Google put our Website in the Rich Snippet Spam blacklist.

In the image below you can see the Google Webmaster Tools warning (in italian) telling us we violate the Rich Snippet Guidelines, but I can't see anywhere that I can't put in my own code a Javascript Alert that is completely on topic for this post.

WMT Alert

And below the Rich Snippet Spam manual action

WMT Alert

In any case I understand the Google point of view, but the hack could potentially be worst than mine, and I limited it to a single case in a harmless way.

Let's see what will happen! Now I'm going to remove the microdata code from the breadcrumb, even if there is nothing bad with it, and I'll submit a reconsideration request.

We are not Bad Guys.

09-12-2014 Update - Event urls are pointing to a different domain than the base url.

Microdata Events

This error message in the Rich Snippet Testing Tool is quite interesting and I think it should be used also for the Breadcrumb input filtering.

I think this Google bug is huge and potentially bigger than Breadcrumbs-only. I think this silly experiment can show how the Open Web must be used with care. If Google can get it wrong, the security implications and risks of using it in a not responsible way can be very high.

12-12-2014 Update - Manual Action for Rich Snippet SPAM revoked after the reconsideration request

Revoked Manual Action

After 5 days Google revoked our manual action for rich snippet spam. We made the reconsideration request cleaning the structured markup on this page and in a short period of time the Google Search Quality Team acted to remove the penalty. Thanks guys.

What we can learn here is that Google is very fast in removing manual action if you identify exactly where the issue is.