Shared by Rizzn

Very clever. #tw

Let me start by saying that, at least in the US, Google does not censor Tiananmen Square. Nor does Bing. Nor Yahoo. But we can make it look like they do. If you don’t believe me, click here, here, and here.

As you can see, I’m linking to the real Google domain and the looks and acts legitimately. The URL looks normal. You can even change the search, say remove “massacre” and Google still doesn’t find anything. Try it with quotes. Remove square. Still no results. The “censorship” certainly feels fairly real, and the hoax would be even harder to detect if if I had said that they were only censoring links from some third party sites.

Now try copying and paste the search to a different search engine. Nothing again. It’s a conspiracy! And look, Digg censors searches for their rival Reddit!

Or how about the government forcing videos from Afghanistan to be removed from YouTube from within the US?

What’s going on?

I’m using a search query that looks like one thing but is, in fact, another. This particular search query uses unicode characters that look identical or similar to normal characters. In this case, I’ve replace one of the “a”s in Tiananmen with look-a-like character from the Cyrillic alphabet. Nobody uses such a tampered string when writing about Tiananmen Square so Google naturally doesn’t find any results. Hence, it looks like they are censoring. As long as you don’t delete the entire query and start again, modifying the query in place will continue returning results that appear “censored”.

In effect, this is taking the old phishing trick of homoglyph attacks—an attack consisting of using confusing look-a-like URLs like paypa1.com with the numeral one replacing the letter ell—and adding a dash of cross-site scripting but where you become the agent of infection: the supposed “censorship” may be shocking enough to cause you to forward the link. You can find a list of look-a-like characters here.

Using this technique you can create viral links showing that Bing censors BP oil spill images, or that Techcrunch has never used the word perfect. With a mischievous eye, these kinds of searches might well cause damage. Someone will figure it out eventually, but probably not before the PR damage is already done.

Being #1 In Google. The Easy Way

Another way to take advantage of this hack is to easily appear to be the first hit for any term in Google.

Step 1: Decide on the term you want to own. Say “Used Cars”. Now perform the homoglyph substitution. When you search for the tampered phrase, you should get no results.

Step 2: Use the tampered phrase on the site you want to appear as #1.

Step 3: Make a set of throw-away web sites that mirror your competitors sites that all use the tampered phrase and have them link to the site you want to be #1.

Step 4: To prove that you are the most reputable used car site on the web, just link people to the Google search for the tampered phrase. The page will list you at the top for the phrase “used cars” with all of your “competitors” ranked below you.

Step 5: Congrats. You can now control any search engine’s search page, as long as you provide the link.

Mirror Character

I stumbled on this technique through an exploration of the unicode “mirror” character, which reverses the direction of all text after it. Doing a search for “‮” seemingly breaks Google. Going a step further, you can write your queries backwards with the mirror character at its front, making it look normal and also yield no results. When I tried this particular technique on my Twitter following most of them figured that something strange was going on based on strange interaction experience and odd search results. The unicode homoglyph method does not suffer from these issues.

Search engines could nullify this attack vector by watching for such strange homoglyph characters in the middle of normal words and quietly swap them back.

No related posts.