Google’s +1 vulnerable to clickjacking?
The internet and particularly the SEO community is abuzz from Google revealing there new +1 button yesterday. If you are unsure what this is all about then you could start by reading this introduction to +1 by Danny Sullivan over at Search Engine Land. If you are interested in reading more about the impact on SEO then you should start with Tom Critchlow’s excellent analysis on the rise of social SEO on the SEOmoz blog.
If you aren’t interested in any of that and just want to play with it already then log into your Google/Gmail account and head over to Google Experimental where you can turn the feature on if you’re not already seeing it. If you are in the UK you need to make sure you aren’t being redirect to Google.co.uk which doesn’t serve the buttons currently, you can start via Google.com/ig. If you are using IE7, an iPad or probably numerous other devices then you are out of luck for the moment. Though if you are using IE7 you probably have other problems to worry about.
There is some great coverage of the +1 button already all over the internet. My post today focuses on the fact that it appears that the +1 button is vulnerable to clickjacking…
Twitter and Facebook have gone before…
In 2009 there was a sudden outbreak of tweets on Twitter which began with the words ‘Don’t click’ and a link to a webpage, when you arrived at this page a clickjacking setup posted a tweet, seemingly by you, to your Twitter feed. It spread extremely quickly over Twitter, but was soon patched.
More similarly to the example I’m going to show you is the clickjacking that the BBC reported last year affecting Facebook. Here people are hiding ‘like’ buttons in pages, and when you are navigating or using a website you being ‘liking’ sites on Facebook.
What does this have to do with SEO?
Social signals are becoming increasingly important as ranking factors for the search engines, what the masses (and particularly your friends and contacts) are talking about, using and sharing with one another certainly gives sharp insight into what is relevant. Google is already using these signals, coming from Facebook, Twitter and who knows where else, especially in QDF searches.
Google know this, and they know they shouldn’t stay reliant on social signals coming from elsewhere, but should not only have their own signals but have signals that can be tied directly into the SERP interface themselves. +1 is their answer, and I have to say I think it is really pretty cool.
However, for it to be a good ranking factor it needs to be, at least somewhat, robust to manipulation and abuse. One of these forms of abuse is bound to be clickjacking. People will try to game Google and the other search engines in whatever way possible – they WILL try this.
I haven’t had much time to look at it, but Google doesn’t seem to have much defence in place to prevent an iframe based approach. It was very quick and easy for me to cobble together a quick demo which works in Firefox, Chrome and Safari, on the OS X and Windows machines I’ve tried. No joy on IE at the moment – we’ll come back to that.
First, open these SERPs to see my linkedin profile in the index, and double check you are +1 enabled (do you see the shiny buttons?!). You should see something like this:
Unless your my Mum (hi Mum!), you probably haven’t +1′d my LinkedIn profile. Ok, so now what? Well now click this terribly innocent looking link:
For the sake of this demo, the link doesn’t go anywhere, but it could be set (with some trickery) to take the user somewhere.
Ok, now lets check those SERPs again… If things went right, which they may or may not have done, but this was a quick demo, you will see something like:
Yep – that harmless looking link you just clicked +1′d my LinkedIn profile. Thanks!
Of course, you could do the friendly version, so you can embed a +1 button in your site now:
The bad news is, going via the SERPs means you could +1 any indexed page via this approach, not just that with the embedded nastiness. Furthermore, you wouldn’t even know you did it. Currently, unlike Facebook, it doesn’t immediately notify people or show up on your homepage. They do show up on your Google profile, but most people aren’t using these actively, and wouldn’t notice.
I imagine Google will move to make this harder, especially when they start allowing buttons people can add to their own sites. But for now, it seems that clickjacking of +1 buttons is a distinct possibility. My example code is pretty shoddy, and probably a bit hit and miss, but the principle is there.