A bug that anyone can easily exploit in Google makes it easy to kick out manipulated search results that look entirely real.
The search manipulation bug was documented by Wietze Beukema, a London-based security specialist, who warned that a malicious user could use this bug to generate misinformation.
This is done by splicing together values from a Google search result’s “knowledge graph,” the cards that pop up in search results to supplement the search query with visuals and quick facts. Anything from countries, planets, tech news sites and more have cards that appear on the right-side of Google’s search results, displaying other nuggets of information at a glance.
In a blog post, Beukema explained that the short, shareable URL when entered into a Google search result could be chopped and added to the web address of any other search query.
So, when you’d search: “What is the capital of Britain,” you’d expect London to return. Actually, you can make it any value — such as Mars.
It also works if you search “Who is the US president?” You can just manipulate the result to read “Snoop Dogg.”
A bug makes it easy to put the contents of a knowledge card into a search result. (Image: TechCrunch)The manipulated search query doesn’t break HTTPS, so anyone can craft a link, send it in an email, tweet it out or share it on Facebook — and the recipient, one assumes, would be none the wiser. But that can be a real problem in an age of mistrust of internet companies after misinformation campaigns by nation-state actors.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Beukema warned that this search manipulation bug could be used to spread factually incorrect information, or even propaganda.
“Who is responsible for 9/11?” can be pointed to George Bush, a widely held conspiracy theory. “Where was Barack Obama born?” can be pointed to Kenya, another conspiracy theory largely propagated by his successor, Donald Trump, who later backtracked on the claim.
And even, “Which party should I vote for?” can be pointed to either the Republicans or the Democrats.
No wonder so many people think the election was rigged if they think they can click a button and have a search engine tell them who to vote for.
Beukema told TechCrunch that anyone can “generate normal-looking Google URLs that make controversial assertions,” which can “either look bad on Google, or worse, people will accept them as being true.”
He said that he first reported the bug to Google in December 2017, but the report was closed without the company taking any action.
“The ‘attack’ I described relies on this trust people have in Google and the facts it presents,” he said.
The bug is still active at the time of writing. In fact, it’s been known about for almost three years. Beukema simply brought the issue to light after first discovering the issue more than a year ago. But it’s already sparked interest from the hacker community. One developer, Lucas Miller, took just a few hours to build a Python script to automatically generate fake results based on search queries.
It’s a mystery why Google, despite claims of political bias (though no evidence to say it’s true), has taken so long to fix a basic weakness in its search results that would make the service far more trustworthy.
A Google spokesperson told TechCrunch that it was “working to fix” the issue.
