20 Minutes to Fool Google AI: A Single Blog Post Can Poison the "Only Answer" Seen by 2.5 Billion People

📄Full Article· Automatically extracted by trafilaturaGemini 翻譯1907 words

BBC reporter Thomas Germain spent only 20 minutes in February this year publishing a post on his personal website. The next day, Google, ChatGPT, and Gemini were simultaneously spreading the lie: "He is the world champion hot dog eater." The same technique is now being used by commercial operators to distort AI answers regarding serious topics like medical supplements, retirement planning, and elections. (Previous coverage: Google Search faces its biggest change in history: Repositioning Search as a one-stop portal for AI agents) (Background: Anthropic report: In the 2028 battle for AI supremacy, if the US fails to maintain its computing power advantage, it risks being overtaken by China) While all AI companies are still competing this summer over whose model has more parameters or higher benchmark scores, Google quietly added a new rule deep within its developer documentation: "Manipulating generative AI responses" is now officially listed as a violation of its spam policies. This is not a technical upgrade announcement, but the first time Google has officially admitted that its most relied-upon feature is being polluted in the cheapest way possible. In an investigative report on May 19, senior tech reporter Thomas Germain recounted the experiment he conducted in February: he published an article on his personal website claiming to be the "world champion hot dog eater," and then waited. In less than 20 minutes, Google, ChatGPT, and Gemini began confirming this lie to users who asked. The underlying mechanism is not complex. AI chatbots usually answer questions based on training data, but ChatGPT, Claude, and Google AI pull data directly from the web when processing current events or queries about people. A characteristic of these tools is their tendency to extract answers from a "single webpage or social media post" rather than cross-referencing multiple sources. This is known as indirect prompt injection (meaning attackers manipulate the output through external content that the AI reads, without needing direct access to the model itself). The operational cost is almost zero: a carefully crafted blog post, placed where Google can index it, can cause the products of the world's three largest AI companies to simultaneously spread misinformation. Germain described this experience as one of the "stupidest things" he has ever done, but during his investigation, he discovered that some people had already turned this into a business model. Germain's hot dog experiment was a harmless demonstration. But the same attack technique is being used by malicious actors to manipulate issues of a completely different magnitude. Cases discovered in the investigation include: denying health concerns regarding certain medical supplements, distorting AI recommendations for retirement financial products, and manipulating AI to provide biased answers in elections or vendor comparisons. Microsoft's research further quantified the scale of the problem: over 50 cases of AI recommendation pollution, spanning 31 companies across 14 industries. This is not an isolated prank, but a systemic operation that has spread throughout the industry. Lily Ray, founder of SEO and AI search consultancy Algorythmic, pointed out the structural problem: "In the past, Google gave you 10 blue links, and you would do your own research; now AI gives you only one answer, and it's too easy to take it as truth." AI has taken the task of "information filtering" out of the hands of users and concentrated it into a black box. Those who can pollute the output of this black box possess not just advertising influence, but the ability to manipulate the user's perception itself. Although Google detailed its various defense efforts in its 2025 anti-spam AI report, Germain's experiment was conducted about a year after that report was released, and the results show that those efforts have not truly worked. Google quietly updated its search anti-spam policy around May 15, officially listing "manipulating generative AI responses" as a violation, which could lead to websites being demoted or removed from search results. Google's own Security Blog also revealed in April: between November 2025 and February 2026, the detection of malicious prompt injection rose by 32%. Indirect prompt injection has evolved from a theoretical threat in the lab to a real-world attack on the open web. The defense side is also evolving: Ray observed that Google and ChatGPT seem to have quietly started removing "suspected self-promotional sources" from AI answers. ChatGPT and Claude have begun to explicitly prompt "filtering out spam content" in some queries; for purchase decision-related questions, Google has started suggesting that users refer to third-party reviews. OpenAI and Anthropic both declined to comment on Germain's report. However, SEO consultant Harpreet Chatha (Harps Digital) directly pointed out the asymmetric nature of the offense and defense: "Google is playing whack-a-mole. Announcing policy updates is meant to deter people, but tactics will shift. You can punish a website, but you can't stop it from paying 2

Data Status✓ Full text extractedRead Original (動區 BlockTempo)

🔍Historical Similar Events· Keyword + Asset Matching6 items

2026-05-20

Google launches Antigravity 2.0: Gemini 3.5 Flash engine, dynamic sub-agents, and Scheduled scheduling features now in place

Similarity 120%關鍵字 google同分類 zh

2026-05-20

Google 推出 Gemini Spark AI 助理對標 OpenClaw：Gemini 3.5 Flash 驅動、24/7 背景執行、整合 Workspace 全家桶

Similarity 120%關鍵字 google同分類 zh

2026-05-20

Google Search undergoes its biggest transformation in history: Repositioning Search as a one-stop portal for AI agents

Similarity 120%關鍵字 google同分類 zh

2026-05-20