How I am able to hijack you.

or rather: How I am able to hijack your autosuggestions in Google Search.

terjanq
terjanq
Apr 3, 2019 · 3 min read

Google Search has been going through a lot lately due to the outstanding XSS finding that was done by Masato Kinugawa. In this brief article I wanted to share with you, maybe not as exciting as the finding mentioned above, but for sure a very cool bug that I discovered when sniffing around Google Search lately.

Image for post
Image for post

The title with the intro image at the side should already reveal what the vulnerability that I found is about. It’s manipulation of one’s autosuggestion list that pops out when they’re searching for phrases using the Google Search website.

What I discovered is that the only step required to add an exact phrase into the mentioned list is simply visiting the URL https://www.google.com/search?q=phrase. Simple as that. The attacker can just make a few requests in the background and put anything into your autosuggestions without you even noticing.

Why would the attacker want to achieve this?

The answer to this question is not trivial. However, I found a few cases that could impact the users in one way or another. These cases are as follows.

The company could try to advertise their product by flooding the visitor’s autosuggestion list, so when they’re searching for a specific item the company brand would show up before the user even hits the ENTER.

The attacker could try to put the phishing websites at the top of the list, e.g. facebook⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀site:facehook.tk that would steal their credentials when attempting logging in.

Image for post
Image for post
facebook⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀site:facehook.tk

The reason behind the flooding doesn’t necessarily have to pose any security impact to do damage. For example, the only goal that the attacker could have in mind could be to flood someone’s autosuggestion list with thousands of phrases. Just to annoy. Clicking a thousand times ‘remove’ could be really frustrating if you didn’t happen to know a way to clear all the search history at once.

Another possible goal is to cause the victim to feel embarrassed. Imagine someone presenting in front of the audience and in the middle of a speech, when attempting searching for something, very inappropriate results show up. I can’t imagine a bigger embarrassment during the speech :)

Security issue or not?

In my opinion, the finding is a security issue in a way that could impact a lot of users. Nevertheless, the Google team didn’t share that point of view, which I fully respect, and the issue was closed as Won’t Fix (Intended behavior).

The flooding one’s autosuggestion doesn’t seem to have a great motivation factor for the attacker, what would they gain out of this?

We think the issue might not be severe enough for us to track it as a security bug.

I probably should also mention that this vulnerability was part of a bigger report that was related to clickjacking the Google reCAPTCHA which is a bridge to many other attacks that will also appear on my Twitter wall soonly. Follow me on Twitter to stay up to date @terjanq.

If you’ve come all the way here and you are , I’ve left an easter egg for you there! Open the google.com website in a new tab and start typing terjanq in the search bar there. If you solved the riddle or you have any other suggestions in what devilish way the vulnerability could be abused, let me know in the comments! :)

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

terjanq

Written by

terjanq

Security enthusiast that loves playing CTFs and hunting for bugs in the wild. Also likes to do some chess once in a while. twitter.com/terjanq

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

terjanq

Written by

terjanq

Security enthusiast that loves playing CTFs and hunting for bugs in the wild. Also likes to do some chess once in a while. twitter.com/terjanq

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store