My Search History Spam Test Page

Google My Search History spam test page, following up Philipp Lenssen's Planting My Search History Entries post at Google Blogoscoped

If you aren't already logged in to your My Search History account, do so then reload this page.

(In a real world exploitation of this trick, say on a commercial page with loads of content graphics and adverts, the background contact with Google would be less obvious).

Then check your My Search History results ...

(Here's a screenshot (84kb) if you don't have an MSH account)

Try clicking some of the links ...

View this page's source code to see how it's done (View/Source in IE and Opera; View/Page Source in Firefox).

If your ad-blocking tools or User Scripts block some or all iFrames, this probably won't work (well done ;). Though the same thing can be achieved with clear gifs (web bugs) too: as demonstrated here.

Other potential methods (pre-fetching, JavaScript, ActiveX, popups, popunders, onload and unload events, etc) aren't attempted here. The bad guys will surely test the limits of what is possible.

The attraction to advertisers/spammers is that this technique can put adverts (in the form of spammily-phrased URLs) on pages (users’ My Search History pages), which are otherwise inaccessible to them (at least until Google starts putting their own ads on those pages). And they are displayed right in amongst the ’content’ (actual users' searches), which users want to read to find something (that's the whole purpose of My Search History, after all). It’s an almost ideal placement. At worst, users see the spammer's text message (like a billboard). At best, if/when the link is clicked (perhaps just out of curiosity and/or confusion) the spammers site might be at or near the top results for the spammy search phrase, or it may display their whole site map (see the site: search example), or their ads may display if the phrase includes keywords to generate specific ads on the Google SERPs pages.

And whilst the 'trigger' site must be one you visit (like this one), the 'injected' links could be by dozens of third parties who advertise (visibly or invisibly) on that one site. Often, the site owner has little or no control over what their contracted advertiser network displays within the advert iFrames anyway.

Of course there's great scope for malicious or prank or political/polemic links too. (There’d be no way of telling which site injected them, once the hidden iFrame links are removed or changed)

Yow.

Afterwards, you may want to prune your My Search History, er, history ...