Aaaaaand... here it is.
I have an unbelievable story to tell you.
A few days ago +Demetrio Siragusa
asked me to look at a Google+ page that he manages. The page, linked to a website, had mysteriously acquired millions of +1s in just a few days
, for no apparent reason.
So I've investigated both the Google+ page and the website it is linked to and I have discovered why Google has erroneously attributed
so many +1s to the page.
Anyone can replicate this phenomenon, it's child's play.
We could call it "+1 mirroring".How it works
The Google+ page managed by Demetrio doesn't show the fake number anymore but I've saved all the information needed to explain the bug to you. If you are curious to see some live examples of the bug, don't worry, just keep reading.
The Google+ page that had acquired more than 10 millions of +1s was this one:https://plus.google.com/100116212512482122910/postshttp://Fablabpalermo.org
is the URL of the website linked to the Google+ page.
.it/fablab/" width=100% height=100% frameborder="0">
The part that does the trick is that redirect to YouTube. That redirect motivates Google to decide that Fablabpalermo.org is nothing more than a secondary URL for www.youtube.com
Can you see where this is going?Why it works
That redirect is executed only by those browsers that don't support frames, but all browsers support frames nowadays, so in practice the redirect never happens to the users that visit the URL.
Unfortunately, Google erroneously assumes that the redirect to YouTube is actually executed by browsers and, as it usually happens when Google finds redirects, they decide that Fablabpalermo.org is just a non-canonical URL of the destination of the redirect: www.youtube.com
Once Fablabpalermo.org is considered just a secondary URL of www.youtube.com
, asking for the number of its +1s is like to ask for the number of +1s of www.youtube.com
!How serious is the bug?
Anybody can easily exploit the bug and show fake +1s in their Google+ pages and badges. Any application based on Google+ API will also receive from Google the fake quantity of +1s.
The bug seems to me a bit complex because it involves, in part, the canonicalization system used by the search engine. Also, Google already knows that there is a limit in the system that handles the linking between Google+ pages and websites. In their guidelines they even explicitly ask webmasters not to link a Google+ page to a redirecting URL.
Nonetheless, I'm sure that they will remove the bug, sooner or later.It does not end here
In this post I've over-simplified the whole story because all the details are discussed in two articles, written by +Martino Mosna
and +Maurizio Ceravolo
. Read the following articles and enjoy all the details!How the discovery was made:
(in Italian)http://www.engeene.it/come-ottenere-10-milioni-di-piu-1-in-una-settimana/Technical analysis, tests, live examples and several ways to reproduce the bug:http://www.ideativi.it/blog/543/how-to-get-millions-of-1-for-free.aspxThe Google help page about linking websites to Google+ pages:https://support.google.com/plus/answer/1713826?hl=en #googleplus #bug #plusonemirror #lowlevelpost