Google’s Knowledge Graph, the informational panel displayed next to the results of popular search queries, can be spoofed to show arbitrary details, regardless of the input in the Google search box.
The trick can be carried out by anyone, as it involves zero technical knowledge, and could be used in humorous endeavors, like pranking someone, or for serious actions, like spreading fake information.
Easy method to change the Knowledge Graph
Knowledge Graphs come with a share button you can use to create a shortened link for easy distribution of the search query. The full URL includes a parameter (‘kgmid’) with an identification code for the Knowledge Graph card displayed with the Google results.
“As it turns out, you can add this parameter to any valid Google Search URL, and it will show you the Knowledge Graph card next to the search results of the search query,” says Wietze Beukema, who reported the issue to Google more than a year ago.
Indeed, even if a query does not have an accompanying information card, you can add arbitrary identification code for the parameter to show a Knowledge card with the results.
While an informed user could realize that something is amiss when viewing the Knowledge Graph displayed with the real results returned for the query, there is a way to reduce or eliminate this risk, depending on the user.
Another valid parameter for the shared URL is ‘kponly,’ which allows canceling of all results on the page and showing only the query and the Knowledge Graph instead.
In this case, the only way to spot the trickery is for the user to run a search themselves and check the results returned. However, most of the users today trust the information on their screen unconditionally; phishing scams are the best example for this.
“These two things combined open the door to abuse: if, for example, your search query is a question, you can now pick a Knowledge Graph card that has your desired answer and only show this desired answer,” explains the researcher.
“The point is that this allows you to trick others into believing something is true,” he adds.
Beukema, who is a senior analyst at PwC UK, says that Google removing at least the ‘kponly’ parameter that eliminates the search results would be a step toward preventing this type of abuse; he believes that disabling ‘kgmid’ would be the better solution.
When he found the issue, Beukema says he was not the only one aware of it. Google has been informed of the possibility of abuse through this method but dismissed the bug report as it saw the vulnerability insufficiently severe to address.
“I disagree,” Beukema says, “in this day and age of fake news and alternative facts, it is irresponsible to have a ‘feature’ that allows people to fabricate false information on a platform trusted by many.”