Claus Schmidt writes about Page Hijack: The 302 Exploit, Redirects and Google. Although Google is not the only search engine with this problem (Yahoo is no longer vulnerable), Claus asks to spread the word as the problem is long known, but not dealt with by the various search engines (except Yahoo, at least).

The trick is easy: put a script on your website that redirects with a 302 to any other website you would like to hijack. When eg. GoogleBot encounters this redirect, it eventually store the URL to this script into the database and not the URL of the target. That means, if someone uses eg. Google to search the web and the page you hijacked matches the request, it would display an excerpt of the hijacked site, but with the link to your script.

If you know programmed your script to distinguish between GoogleBot and a normal user, you would be able to redirect this user to any of your sites and thus have hijacked the reputation of this website.

The original URL would be removed from the search engine’s database, but this happens on a not predictable way, as Claus describes. Sometimes the page with the higher page rank might win, but he also encountered situations where this is not the case. The search engine would replace the original URL, as it now has two different starting points (your script and the the original URL), but the same page URL (the target of your script’s redirect and the original URL itself). So it removes one of this duplicated entries.

It’s time for the search engines to change this behaviour and Claus asks us for help. I gladly did so.