(no title)

Fix is easy enough - check the http referer before showing a result. E.g in insites.io(or any liquid scripting site) you can check like this: {% assign is_internal_search = context.headers.HTTP_REFERER contains context.location.host %}

Just check the search is happening on a site or device you own. That attack vector is then gone (hackers cannot spoof the refer that google sends via ads.)