Google denies its search bar caused Singapore websites breach

Google refutes claims its search bar compromised two Singapore websites last week, but ZDNet understands previous reports attributing such claims to the the country's ICT regulator were inaccurate.
Written by Eileen Yu, Senior Contributing Editor

SINGAPORE--Google has broken its silence to refute reports stating a vulnerability in its search bar had compromised the websites of two government offices. 

Hackers redirected online visitors searching within the websites of the Prime Minister's Office (PMO) and Istana to view content and messages on another webpage resembling the two sites, but were actually created by the hackers. As a result, visitors were made to believe the websites had been defaced when, in fact, they continued to function normally. 

Singapore ICT regulator Infocomm Development Authority (IDA) was cited by local media reports to blame a vulnerability in Google's search bar, embedded in the two websites, as the cause of the breach. In a media briefing to which only local media were invited, IDA was quoted to say the vulnerability was exploited but detected within 15 to 20 minutes on both sites. 

In response to the claims, a Google spokesperson told ZDNet in an e-mail Wednesday: "It has come to our attention that the PMO's website recently experienced an attack in the search functionality of the site run by Google's Custom Search Engine site-search widget.

"After investigation, it appears that the code in the Google custom search engine is safe and the vulnerability lies with the coding on the webpage."

While IDA declined to comment further on this issue as it is currently under police investigation, ZDNet understands the regulator was misquoted in local news reports. Rather than Google's search bar, it had instead pointed to a vulnerability in the search function which the hackers were able to exploit and redirect visitors to the external webpages.

Google's search widget and the two government websites had functioned properly, but what was missing was the input or data validation--a process which validates data entered into the search bar is "clean" and accurate based on validation rules or "check routines". These rules are typically set by the Web application developer, or in this case, the website owner.

In this instance, the lack of input validation allowed hackers to use cross-site scripting (XSS) to compromise the two government websites, exploiting the erroneous way search functions were handled on the sites to inject content from external sources. 

According to IDA, the vulnerability has since been patched. When asked, it declined to reveal whether the two government websites were developed internally or by an external Web developer. 

Singapore police on Tuesday said five suspects had been brought in for questioning over this incident. 

Editorial standards