Security Experts Express Concern Regarding Google Instant Pages

Security researchers are concerned that a new Google Chrome feature called Instant Pages might enhance exploitation attacks.

In an attempt to make the web experience faster, Chrome will load the content behind top search result links in the background. In this way, when the user clicks on that link, the page loads almost instantly and there's no more waiting.

"For searches when we can predict with reasonable confidence that you’ll click on the first result, Instant Pages technology will begin loading that webpage early so that by the time you click on the result, the entire webpage appears fully loaded instantly," Google explained in a blog post

Researchers are concerned that this new feature could be exploited to make drive-by downloads and other attacks easier to pull off. "This leads to some interesting exploit scenarios," says Dan Hubbard, security researcher at Websense.

"In the past, search algorithms have been duped to have malicious pages show up in results. In those cases, although they are dangerous, the user still has to click on one of the top results to get infected. In the new scenario, the big question is if a user can be exploited by simply searching, without even clicking on a link," he adds.

Indeed, the ability of cyber criminals to push malicious links at the top of search results is well known, although, truth be told, Google has made significant progress in fighting such black hat SEO attacks in recent times.

Therefore, getting a malicious link as the very first search result for a set of keywords that would affect a lot of people, would prove very difficult, if not impossible, to do under current circumstances.

However, prerendering is not only available to Google search, but to virtually any website. Forcing Chrome to prerender a link only equires setting a rel="prerender" parameter to it.