Connect with us

SEO

Sites vulnerable to XSS can be used to phish Googlebot

Published

on

A WordPress safety plan for SEOs and developers


One common security vulnerability developers must take into account is the Cross-Site Scripting (XSS) problem. The XSS exploit can be mitigated or defended against by using sanitization procedures that test values of variables in GET and POST requests. Server-side attacks exist, as well, but are well beyond the scope here. Apparently, Googlebot and indexing currently suffers from this vulnerability.

Phishing Googlebot?

Although XSS attacks can be used to deface or sabotage websites, it’s also one method for phishing. An attacker crafts a malicious link and sends users an email with that link to a website vulnerable to the XSS exploit. When a user clicks the malicious link, a script runs when the page loads. Newer versions of Chrome have a XSS Auditor sanity check for urls that might otherwise fool users.

Unfortunately, Googlebot currently operates running Chrome 41, an earlier version of the browser that does not have the XSS Auditor. Does this mean Googlebot is vulnerable to phishing-style URLs where an attacker might inject a malicious SEO attack script? For Google, an attacker might use JavaScript to inject elements into the DOM such as backlinks, and worse, manipulate the canonical.

XSS Googlebot exploit

The proof of concept (PoC) for this attack was published by SEO (and Security Researcher) Tom Anthony depicting the success of the attack method, including evidentiary screenshots of Google Search Console’s URL Inspection Tool displaying a modified source code as a result of the payload. Keep in mind that running a malicious script in this way has the potential to entirely rewrite the page for indexing.

Tom describes having undertaken the proper steps of vulnerability disclosure, listing a timeline of his communications with Google, and characterizing the responses. At this stage, Tom’s disclosure is an iffy prospect because the vulnerability conceivably still works in the wild, despite Google having told him in March it has “security mechanisms in place” for it. Security researchers sometimes publish 0day (unpatched) vulnerabilities in order to prompt companies into action.

Google’s response

Tom noted that people see evidence Googlebot has a pending upgrade that would presumably include the XSS Auditor URL filter. Once Googlebot upgrades to a newer instance of Chrome with the XSS Auditor in place, this attack will no longer work. In the meantime, Google can conceivably index and publish malicious links in SERPs that unwitting users of Firefox (which doesn’t currently have a XSS Auditor of its own) could conceivably click and get phished.

We received the following statement from Google: “We appreciate the researcher bringing this issue to our attention. We have investigated and have found no evidence that this is being abused, and we continue to remain vigilant to protect our systems and make improvements.”

Exploits using XSS techniques are so widespread it’s conceivable that it’s happening somewhere. It’s simultaneously believable that no one other than the researcher has tried it.

How to protect against XSS attacks

To prevent the most common attacks, you need to make sure no malicious code (Javascript, PHP, SQL etc.) gets through to be processed by your application. Use built-in expectations of values such as an assurance that only the exact number and correctly named set of variables are present with every request. You should also encode data-type restrictions to test incoming values before proceeding.

For example, if your application is expecting a number then it should throw an exception, redirect, and maybe temporarily blacklist the IP address if it gets a string value as part of a bad request. The trouble is, there are a lot of fairly popular websites which are vulnerable to this sort of attack because they don’t take such steps. It’s fairly commonplace for attackers to pick at applications modifying request variable values to look for exploit opportunities.

One of Google’s proposals against XSS attacks takes the data-type sanity test as described above to the HTTP response header level with what it is calling: Trusted Types. Although it hasn’t yet been widely adopted Trusted Types may eventually serve as an important tactic for protecting your pages. That the vulnerability is not currently patched, however, is why it’s iffy to publish 0days. Google is vulnerable to this exploit.


About The Author

Detlef Johnson is Editor at Large for Third Door Media. He writes a column for Search Engine Land entitled “Technical SEO for Developers.” Detlef is one of the original group of pioneering webmasters who established the professional SEO field more than 20 years ago. Since then he has worked for major search engine technology providers, managed programming and marketing teams for Chicago Tribune, and consulted for numerous entities including Fortune 500 companies. Detlef has a strong understanding of Technical SEO and a passion for Web programming. As a noted technology moderator at our SMX conference series, Detlef will continue to promote SEO excellence combined with marketing-programmer features and webmaster tips.



Source link

Continue Reading
Click to comment

You must be logged in to post a comment Login

Leave a Reply

SEO

New site Hotspot Law like ZocDoc for lawyers

Published

on


Local search is probably more visible than it has ever been since the advent of Google Maps. Yet, paradoxically, there’s almost no consumer-facing innovation taking place. There’s Google, Yelp, Facebook (somewhat) and a range of specialized vertical apps and sites, some of which have simply survived but aren’t thriving.

Little or no ‘horizontal’ innovation. Part of the lack of “horizontal” innovation in local is likely the result of venture capital not wanting to fund anything that goes up directly against Google. The company may appear to many investors now like an insurmountable juggernaut in local/mobile search.

Any new local-consumer startups, therefore, are likely to appear in specific industries or otherwise offer specialized use cases. Such is the case with Hotspot Law, a new legal search site that hopes to bring ZocDoc-style appointment scheduling to the legal profession. It also seeks to provide a more reliable and cost-effective flow of leads to consumer attorneys.

The legal vertical has a quite a few competitors, including Avvo (Internet Brands), LegalZoom, FindLaw and several others. Despite this, Hotspot Law founder Felix Shipkevich believes he’s solving two unsolved problems in the legal vertical.

“The legal market is in dire need of an upgrade,” argues Shipkevich.

Making direct connections with lawyers. “Once you’ve finished searching online, you have to start calling,” he said. “You don’t get to speak directly to attorneys, you typically talk to a gatekeeper.” He points out that this process of getting to a lawyer is time consuming for people who need legal help. “None of these [completing] platforms directly connect the consumer with an attorney.”

Shipkevich, who is an attorney and faculty member at Hofstra Law School, said he was inspired by ZocDoc and the way it enables direct connections between doctors and patients. Similarly, he wanted to remove the friction in lawyer-consumer matchmaking. Shipkevich explained that also sees Hotspot Law as a way to make “justice” more accessible to consumers.

Why you should care. Legal lead-gen is costly. Shipkevich believes that existing legal sites and ad solutions don’t serve lawyers particularly well either. “PPC advertising can be extremely expensive; in New York it can be $60 to $80 per click.” He adds that “Yelp is expensive. Sometimes it takes $2,000 to $4,000 to bring in a case.”

He wants to solve that problem with simplified reasonable pricing for lawyers who may be struggling to find clients. But he also sees Hotspot Law evolving into a platform to help attorneys manage existing clients. Currently the site only operates in New York, with plans to expand geographic coverage in the coming months.

For the time being Shipkevich will need to rely on SEO for discovery but over time he hopes to build a branded consumer destination. It will be very challenging given the current structure of local SERPs. One has to admire the ambition and chutzpah.


About The Author

Greg Sterling is a Contributing Editor at Search Engine Land. He researches and writes about the connections between digital and offline commerce. He is also VP of Strategy and Insights for the Local Search Association. Follow him on Twitter or find him at Google+.

Continue Reading

SEO

Remembering the Tragedy That Made Our Community Start Talking

Published

on


About one year ago, everything changed for me and for our community.

A tragedy that struck home so hard it shook us to our core.

A suicide.

A dear friend, brilliant mind, adored father, respected colleague … the list goes on, left us in a way that hits straight to the heart and wakes you up like very few other events can.

I certainly woke up that day. That alarm screamed as loud as it could and I still hear it to this day.

I know I wasn’t alone. So many of my peers experienced similar emotions, sensations, and reactions.

We Could No Longer Ignore the Problem

Sadly, this wasn’t the first tragedy we’d encountered that year – we lost other friends and colleagues as well.

But we knew we couldn’t stand to lose any more amazing people.

We couldn’t look away. We couldn’t just carry on anymore.

So we started talking.

I have been blown away by our internet marketing community. Many of us have never even met face to face and yet the comradery, the friendship, the support among us run rampant!

Never before have I seen a group of people come together so quickly and so openly as when we were forced to face this tragedy.

Groups were formed. Calls were made. Texts were sent. Face-to-face get-togethers were had. Columns like this one were created.

And the best part of it all? It didn’t stop!

We saw the need to stay connected. We recognized that we are a family that needs to support each other. And, perhaps most of all, we saw that we were not alone in our struggles.

It has been amazing to see the openness and honesty that has become so commonplace over the past year. I have seen people that once felt they couldn’t risk being seen without their mask on break down and lay themselves out in the most vulnerable ways.

I include myself in that list. I have become more able to reveal myself to the world around me. That has only been made possible by others sharing in that journey with me.

In leading up to this piece, I knew that I wanted to really find a way to focus on the positive changes that our community has seen because of Jordan Kasteler.

I wanted to honor him in a way that really brought some form of good to this incredible loss that we all experienced due to his passing.

Where Are We Now? Thoughts from Our Community

I reached out and asked a few people in our community if they would share some words of how they have been changed for the better as well as how they have seen our community as whole making changes to support each other over the past year.

Here is what they had to say:

Alexandra Tachalova:

“Working days, nights, and weekends was normal for me a few years ago. However, at that time I couldn’t say that I was really happy. I didn’t understand at the time that my work-life balance was completely off, and I now know that that could have developed into something truly horrifying.

I eventually reached such an emotionally unstable point that I hit a time where one week I was super productive, but the following week I felt hugely demotivated and absolutely miserable. (I know this is a familiar story with many others as well, I hear people telling similar stories and sharing similar experiences regularly.)

Over the past while, I have been working diligently to save myself from this emotional trap. This new focus has led me to investing more time into things that are not related to work and putting more time into the things that help to create a happier life for myself.

I can see that more people in our community are becoming more aware of the need to make this sort of a switch to their schedules and priorities as well, which is brilliant to see!”

Melissa Fach:

“In the past year, I have noticed a massive shift in our community not being ashamed to reach out and ask for help, advice, or just a kind word. I feel like masks have been dropped, and people are not embarrassed to discuss what make them “real”; I love it!

I think many people used to feel they had to have public persona that was acceptable, and now they know we all have issues and it is OK to talk about.

I have a picture of Jordan out that I see every day. I moved past the guilt and the pain when I looked at it, and he is now a daily reminder to stay present with my friends as much as I can.

And, it is a reminder to me to stay focused on my well-being as well. I tend to overwork and do too much for everyone and end up exhausted. I take steps now to take care of me more than ever before.”

Steve Wiideman:

“Though I’ve been in the industry for years, I’m still a somewhat newer member of the SEO community. Call it fear of rejection, social anxiety, whatever, I’ve always been nervous to put myself in a position to be judged by my peers.

It really wasn’t until I was invited to an amazing Facebook group made up of a small close-knit group of industry peers focusing on supporting each other through the day-to-day struggles that I realized that nearly everyone shared the same fears, anxieties and experiences that I have.

What a relief it is to know there is a place where we share what we are feeling and have so much empathy! Finally I have a place I can turn to where people understand me.

Even if I don’t share as much as others, I have peace of mind knowing there are people there ready and willing to listen and help, where there’s no judgement, just open arms.”

Danny Goodwin:

“We’ve definitely made a lot of progress over the past year as a community. However, if I’m being completely honest, we still have a long way to go. I’m still hearing about issues of bullying. I’m seeing people piling on people they disagree with on Twitter.

While, thankfully, these are in the minority, the polarization and black-and-white thinking needs to stop. The judging and assuming needs to stop. The trolling and “mob mentality” needs to stop.

We need to stop fighting each other and start lifting each other up – treating everyone like human beings. Nobody is perfect, but I hope we will continue to see more people be able to let go of their hate and negativity to accept love and positivity into their lives. I know that will continue to be our aim with Friday Focus – to remind everyone that they are not alone in their struggles.

Ultimately, though, I am so happy to be a part of something so positive in our community – and it’s great to see so many others jumping onboard, too.”

Kim Krause Berg:

“It’s easy to assume that your peers are generally doing better than you, making more money than you, and are super successful in every way. It is only in the past few years that I realized this is baloney.

I respect people who remove their masks and show who they really are. We are people with lives and struggles, heartache, depression, and pain.

In the past year I have opened up more and made new friendships as a result. We have more in common with each other than we might think.”

Dave Davies:

“Over the past year I’ve seen an incredible shift in our community.

Social media itself breeds an environment where we see only the best of our peers and post the best of ourselves and being in marketing, needing to be on social media, needing to market ourselves on social media and seeing only the best version of those trained in presenting the best version of themselves – one can feel very alone in difficult times. Compounding that we face an often isolated profession where even sitting beside someone, we are focused on a screen and all they contain.

Sadly, we all know too well what that leads to, and over the past year we collectively recognized that we are human. That those around us are human. That others need support and perhaps most importantly, that we do too.

We finally heard the words spoken all too often after those tragic events, “If only they had asked for help.” And we took it upon ourselves to do so.

We finally knew to listen, to watch and to find out how those around us were doing, lest we face the loss of another friend who we would have dropped everything for, ‘If only they had asked for help.’

The community has grown it’s heart and soul over the past year.

There is still a lot to do. There are still many who don’t know where to turn. Many who don’t know who to talk to. But each time we reach out and each time we talk about challenges openly, share our own and listen to theirs … each time we do that, the community grows it’s heart a little more.

It has been a incredible year of change. While we will forever mourn the spark, the now burning fire keeps us all warmer.”

Jeremy Knauff:

“One thing that has changed dramatically in our industry over the last year, is that as individuals, we’ve become a lot more vocal about asking for help when we need it.

I think most people are more than willing to help each other. They just have to know that someone needs help. Now that people are starting to open up more about their personal struggles, the community is able to better support them.”

Thank You!

I want to take this opportunity to thank all of you – whether I know you in person, whether I know you online, even if I don’t know you at all –- thank you for being here.

Thank you for caring and sharing and being a part of the positive change that we are all working so hard at creating.

Keep being a force for good in our community.

Together we will make a difference.

Remembering the Tragedy That Made Our Community Start Talking  

 

This piece is written in memory, honor, recognition, and gratitude of Jordan Kasteler. For all that he gave us, shared with us, taught us and left us with. We are eternally grateful.

 


***PLEASE DO NOT STRUGGLE ALONE! Reach out, ask for help and know that you are valued.
CLICK HERE for a list of phone numbers for Suicide Hotlines around the world.***



Continue Reading

SEO

20190718 SEL Brief

Published

on

Please visit Search Engine Land for the full article.



Continue Reading

Trending

Copyright © 2019 Plolu.