Episode 8: More GSC bugs, Bing Ads rebrand and blackhat XSS

Play this episode:

Or get it on:

What's in this episode?

Mark Williams-Cook will be discussing:

Google Search Console bugs There was a 16 day data loss within Google Search Console and errors with manual action reports.

Bing Ads rebrand The Bing Ads platform is rebranding to Microsoft Ads and changing focus.

Google XSS exploits A newly released zero-day exploit that allows blackhats to inject links and content onto third party website's Google cache.

Podcast transcription:

MC: Welcome to episode 8 of the Search with Candour podcast recorded on Sunday the 5th of May 2019. My name is Mark Williams -Cook and I'm going to go through the highlights of this week's Search news with you. Firstly very proud to say apparently 97% of podcasts don't make it past episode 7, it seems like a bit of a wild number to me but I'm very proud to say here we are on episode 8 so we made it! We are in that 3% and we've got a really good episode for you today, we're going to be talking about even more Google Search Console bugs so you're aware about their missing data and about the manual actions you might be receiving that are incorrect. We're going to be talking about a Bing Ads rebrand and what to expect from that, and super interesting - an unfixed cross-site scripting bug in Google that potentially has huge ramifications for people being able to use a new blackhat technique to essentially inject links into Google and make sites rank better.

It's been a really bad week for Google again in terms of bugs and things not working properly. We talked previously about the big indexing issue Google had, where they had millions of pages just completely dropped from their index and affect sites in that they just wouldn't receive any traffic from Google. We also spoke about the rich snippet schema errors Google was experiencing and caching errors as well, and in the last week we've had confirmed reports on all kinds of issues with Google search console again.

This time we've had confirmation that on midweek - so on the 1st of May, in this last week there was an issue with Google search console data specifically from April the 9th to the 25th. Google reported that search console experienced a data outage that ceased on April 26th, the outage affected all reports except the performance report. All missing data from the 9th to the 25th of April was replaced with the data from April the 26th when data began to be available again. What this announcement is saying is essentially this 16 day period between the 9th of April and the 25th of April, all the data between them was just over it and from the same data from the 26th and this period does overlap the indexing bug that we spoke about. So the indexing bug when Google was dropping pages was between the 5th and 11th of April, which means that this data loss will make it very hard to look back and work out which pages, and how your site was affected through Google Search Console data.

Now most agencies and hopefully most freelancers or people practising SEO will be pulling data from Google Search Console and storing it themselves, maybe via sheets, and pulling reports into Google Data studio. Then this instance that there isn't even the data there to pull now is just gone, and in a world now where we've got cloud storage, and Google search console serving millions of webmasters it's almost unfathomable that they've lost this data but that does appear to be the case. it doesn't seem that Google is going to be getting this data back.

We saw as yesterday was Star Wars day for Star Wars fans so May the fourth and the Search Console team had released some Easter eggs in Google Search Console with C3PO, and you could click and have some Star Wars stuff in Search Console which was met I think with a little bit of annoyance from a lot of webmasters. I think someone described it really well as describing it as a little bit ‘tone-deaf’, in that they had this really serious issue where we've got over two weeks of data just gone and they’re focusing on doing these easter eggs. It's maybe a bit of a wake-up call if you're relying on free services maybe even things like Google Drive, that it’s a good idea to have your own copy of the data that you own and control as well.

So this is something that I find really unexpected that Google in 2019 could just lose all their copies of this data. But it does appear to be gone and at the same time this was happening we've got this issue with data going missing from Search Console. There appears to have been a problem with the manual action report in Google Search Console, so manual action report is where your site will receive a penalty, so it's manually received a penalty. You'll normally get a notification of these through Google Search Console, and when you get one of it's time to sit up and take notice because this is serious. It's going to have incredibly important repercussions on your site, your search visibility is definitely something you want to take care of.

Marie Haynes reported on the 30th of April on Twitter - she tweeted:

She tweeted this and there's been multiple confirmations on Twitter from other webmasters, on the Google forum support groups and John Mueller did tweet saying:

and John did follow up later in the day saying:

So what's happened there it appears is that there was a confirmed bug with the manual action reports, and Google is saying if you are now still seeing that you have manual actions in Google Search Console that it's worth doing something about them probably. We hope. It's interesting when I spoke about this the podcast before last, I was saying it's very uncommon for Google to seem to have so many simultaneous issues and I can't help but wonder if all of these things are connected. So there's been a lot of issues around crawling. indexing, and caching and how this is reported in through Google Search Console so we'll have to wait and see how this pans out and maybe affects webmasters. But for now if you're looking for your data for the end of April in Search Console, I'm afraid it’s gone and you're not getting it back. There was a glitch with manual actions so if you had reports surface don't worry about it so much if they're still there, you need to do something about them.

So there we go, just as you're probably finally getting used to calling Google AdWords Google Ads, Bing has rebranded to Microsoft Advertising as well. They go on in the blog post to cover what you should expect from this change and they say

So the Microsoft Audience Network according to Microsoft reaches around 404million people per month and sponsored products is the other products which they say is going to showcase this. If you haven't heard of sponsored products, sponsored products for Microsoft are only available in the United States and it's currently a program that's in open beta. In sponsored products two partners share the cost of advertising as they work to drive product sales through certain channels. Microsoft say typically these two partners are manufacturers and retailers, or ad agencies and their clients who have merchandising agreements with one another

How sponsored products work: Let's say you manufacture widgets and Contoso is one of your authorised dealers, Contoso wants to feature your widgets during the upcoming sale. They've approached you to partner on a marketing blitz of targeted ads designed to drive widget sales and conversions on their website. In partnership you both agree to share the cost of clicks on a promoted product through your own ad group and your partner's own ad group. So these are two new products which Microsoft I think are trying to break away a little bit and make their own ground outside of what Google's offering at the moment. We'll still have to wait and see, a lot of marketers I know (paid search marketers) have been fairly skeptical of the results that they've been getting from the more AI driven platforms. But that's the direction Microsoft's going in at the moment, so we're going to have to get used to calling Bing Ads Microsoft Advertising now.

There's one story in the last week that's really interested me the most which was a blog post by Tom Anthony who's VP of Product at Distilled and I've been aware of Tom for many years. I've seen him do talks at places like Brighton SEO and he's written some really interesting pieces in the past and this is no exception. He's written a blog post called ‘XSS attacks on Googlebot allow search index manipulation’ and very helpfully Tom has written a short summary of the detailed blog post that he's written. I'll include a link to his full blog post in the show notes so you can read it for yourself but his summary reads as this

This is really interesting. So the basis of this attack is that you can put JavaScript inside a URL (9so a website's URL) and this can mean that the JavaScript can be included in the content of the page without being as Tom says “sanitized”, meaning that the code is executed in the user's browser or in this case in the browser Google is viewing rendering the site in. If you're sort of an average web user now and you're using Chrome you're automatically protected from this kind of attack as Tom says it has what's called an XSS a cross-site scripting auditor that will recognize this kind of behaviour and block it. Because Googlebot is running a 2015 version of Chrome 41, it does not appear to have this cross-site scripting auditor, this means that if you cleverly craft these URLs to inject JavaScript on the page that when Google does come around to rendering these pages with the JavaScript, the JavaScript content will be included and Tom in the blog post has demonstrated that he can create malicious URLs that firstly inject both content and links onto a page, and secondly he's altered canonical tags on a page. So injecting links onto a page, it's obvious why that's important so if you can start tricking Google into thinking that these sites are linking to you, we know that links are still important in Google's algorithm and getting good links from good sites definitely helps. Altering the canonical tags is another really interesting thing that's possible. We've spoken previously we've seen Google's saying that they don't honour canonical tags that are rendered in JavaScript and this was tested by several people and proven false.

So we found that if you insert canonical tags on pages via JavaScript or via tag management software such as Google tag manager which relies on JavaScript, that Google does appear to honour those canonical tags and this is troublesome because it opens up certain possibilities. Such as you could straight up copy someone's content and you could manipulate the canonical tag on their site to reference your site as the canonical source for that. So you could say to Google that Google's understanding would then be that site is just republishing your content and you'll get the credit, you'll get the rankings, you'll get the traffic, and obviously the money you can make from having that content.

Now Tom has confirmed when he's run these tests that the changes that were made by injecting the JavaScript were cached by Google and this in a way makes it one of the most scary and dangerous attacks because we know there's lots of hacking done in the name of SEO. What normally happens there is websites tend to get hacked and people will inject links onto sites to link to theirs to try and bolster their Google rankings and normally the MO of this is the links will be injected and they'll cloak. Meaning they'll only show the links and content to Googlebot, so in lots of instances people/webmasters will have their sites hacked. But when they visit them and when the normal users visit them they won't appear to be hacked, but when Googlebot visits they'll see different content and links.

That's still relatively easy to catch and Google will actually give you alerts live in the SERP and through Google Search Console if it believes your site has been hacked. The difficulty with this is if you have someone injecting links technically on your site with this method the only way you would be able to see that is if you start looking at the cached pages that Google has of your site. There would be no way just by viewing the page on your site, at least, to tell if someone is doing this so this is a potentially very sneaky very dangerous attack. Tom has included a short paragraph on defense in his blog post and I'll just read this verbatim, he says:

So Tom saying, as I mentioned earlier, there's no way to detect this just by looking at your pages but you will be able to check which URLs have been requested from your server. So if these do contain the word ‘script’ it's very likely unless you've got those words in your URLs anyway that someone is trying to execute script through your URLs. Another amazing bit of research by Tom, really interesting and I can't see this being unused. This is in the open, this is in the wild - there will be people I'm sure testing this and trying to take advantage of this technique, so definitely something I'd be looking at if I was running a site that we can't confirm doesn't have any XSS vulnerabilities. So thanks for posting that Tom, really really interesting!

That’s everything for this episode of the Search with Candour podcast, you can grab the show notes as usual at My name's Mark Williams-Cook and I hope you'll join us again on Monday the 13th of May for the next episode, and I hope you've all enjoyed your bank holiday weekend!

More from the blog