Shared publicly  - 
Aaaaaand... here it is.

I have an unbelievable story to tell you.

A few days ago +Demetrio Siragusa asked me to look at a Google+ page that he manages. The page, linked to a website, had mysteriously acquired millions of +1s in just a few days, for no apparent reason.

So I've investigated both the Google+ page and the website it is linked to and I have discovered why Google has erroneously attributed so many +1s to the page.

Anyone can replicate this phenomenon, it's child's play.
We could call it "+1 mirroring".

How it works

The Google+ page managed by Demetrio doesn't show the fake number anymore but I've saved all the information needed to explain the bug to you. If you are curious to see some live examples of the bug, don't worry, just keep reading.

The Google+ page that had acquired more than 10 millions of +1s was this one: is the URL of the website linked to the Google+ page.

In the HTML code of there was only a frame that showed an external web page and, by mistake, there was also a JavaScript redirect to an unrelated website: YouTube. Here is the full HTML code:

<iframe src="http://www.mtbonline .it/fablab/" width=100% height=100% frameborder="0">
<script language="javascript">

The part that does the trick is that redirect to YouTube. That redirect motivates Google to decide that is nothing more than a secondary URL for

Can you see where this is going?

Why it works

That redirect is executed only by those browsers that don't support frames, but all browsers support frames nowadays, so in practice the redirect never happens to the users that visit the URL.

Unfortunately, Google erroneously assumes that the redirect to YouTube is actually executed by browsers and, as it usually happens when Google finds redirects, they decide that is just a non-canonical URL of the destination of the redirect:

Once is considered just a secondary URL of, asking for the number of its +1s is like to ask for the number of +1s of!

How serious is the bug?

Anybody can easily exploit the bug and show fake +1s in their Google+ pages and badges. Any application based on Google+ API will also receive from Google the fake quantity of +1s.

The bug seems to me a bit complex because it involves, in part, the canonicalization system used by the search engine. Also, Google already knows that there is a limit in the system that handles the linking between Google+ pages and websites. In their guidelines they even explicitly ask webmasters not to link a Google+ page to a redirecting URL.

Nonetheless, I'm sure that they will remove the bug, sooner or later.

It does not end here

In this post I've over-simplified the whole story because all the details are discussed in two articles, written by +Martino Mosna  and +Maurizio Ceravolo . Read the following articles and enjoy all the details!

How the discovery was made:
(in Italian)

Technical analysis, tests, live examples and several ways to reproduce the bug:

The Google help page about linking websites to Google+ pages:

#googleplus   #bug   #plusonemirror   #lowlevelpost  
Emil Hugo's profile photoCarol-Anne “babayaga” van der Merwe's profile photoRichard Herselman's profile photoKotvsapogah Kot's profile photo
Yup +Maurizio Ceravolo, the hijack test page has worked! Which page has been hijacked and what has happened to their +1 count?
Add a comment...