Google is updating its spam policies to more aggressively target “back-button hijacking,” a deceptive technique that traps users in unwanted page loops.
The tactic is triggered when a user clicks a link, lands on a page, and then tries to navigate back – only to be redirected elsewhere instead of returning to the previous page.
“It occurs when a site interferes with a user’s browser navigation and prevents them from using their back button to return to the previous page,” the Google Search team said in blog post to its Google Search Central Blog earlier this week.
Gateway to Bad Things
Security researchers have repeatedly documented campaigns that use redirect chains, compromised websites, fake CAPTCHAs, and ad-tech middlemen to push users toward phishing, fraudulent push-notification subscriptions, exploit-kit landers, and malware-hosting pages. In that context, trapping a user in a page loop can be the first step in keeping them inside a malicious traffic funnel.
Under the updated Google policy, which takes effect June 15, 2026, sites that use back-button hijacking may be flagged as spam. Google’s recourse will include pushing the offending site down in search results, suppressing some pages, or in serious cases restrict the site from appearing in Search results.
Google warned users that the behavior is often introduced through third-party components, such as ad networks or embedded scripts, meaning site owners may not realize it.
“Some instances of back-button hijacking may originate from the site’s included libraries or advertising platforms,” the team said.
Google is not the first company to react to navigation abuse. Chromium-based browsers have attempted to use technical interventions to skip manipulated history entries. Search engine Yandex has long penalized deceptive redirects and Firefox developers are also grappling with back button abuse as well.
Google’s move stands out because it explicitly turns back-button hijacking itself into a named spam-policy violation.
Why It Works
Because the behavior relies on legitimate browser features, Google is tackling it at the search-policy level rather than through browser enforcement.
The move highlights a gap between browser-level security fixes and web ecosystem abuse. While modern browsers have largely eliminated older navigation attacks such as reverse tabnabbing, back-button hijacking relies on legitimate browser history, making it difficult to block outright without disrupting normal site and expected browser functionality.
As a result, Google is treating it as a spam and abuse problem.
Site operators are urged to audit their code, dependencies, and configurations to eliminate behavior that could put the site in the Google penalty box.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in the cybersecurity
