Thousands of hotel listings on Google+ Maps and Google+ have been hijacked to point to an external commercial site, leading to allegations of an 'inside job'.

The official Google+ pages of hotels and guest houses across the globe including the US and UK have had details, including the external web address for their pages, changed by an unknown third party. That has effectively "poisoned" search results for those properties, because the Google+ listings are used to populate Google Maps listings and Google search results, as well as other Google services.

The web addresses listed were altered to point to a third-party booking service.

In one example, “the URLs for the hotel’s official website leads to “courtyardmarriott.roomstobook.info” rather than the hotel’s actual page here within the Marriott.com domain,” said Danny Sullivan of Search Engine Land who discovered the hijacks.

The majority of the verified listings were altered to direct visitors to websites Roomstobook.net and Roomstobook.info, both of which then redirect to the third-party booking service Hotelswhiz.com, or to hotel pages within the Roomstobook websites.

"We were not involved in the hijackings and we are dealing with the fallout. We reported the redirect issue to Google when we spotted it on 8 January," Karim Mawani, director of HotelsWhiz.com told the Guardian.

"Because of the backlinks [from the Google+ pages through the .info domains to the hotelswhiz site] we have been penalised by Google and our site has been paralysed, so we are victims here," he said.

Mawani said that he and his company didn't know what or who carried out the modifications to the Google+ listings.

A search of Google+ listings also showed the domain Roomstobook.org being used, with over 4,000 listings affected in total.

Anyone can attempt a change

The Guardian has confirmed that anyone with a Google+ account - which can be obtained by registering a Gmail email - can submit a change to any detail of a Google+ Local page, whether verified or not, including the listed website address, phone number, physical address or name of the place. Users can also mark the place as closed, as a duplicate or flag inappropriate reviews or photos.

Anyone with a Google+ account can submit changes to business and place listings. Photograph: Samuel Gibbs/Screengrab

However once submitted, the change must be reviewed before being implemented on the listing.

Changes submitted are then reviewed before being published. Photograph: Samuel Gibbs/Screengrab

Allowing anyone, rather than the verified owner of the business or place in the listing, to submit modifications opens up Google’s system for abuse. An automated correction submission programme could be used to overwhelm the system of check required before a change is verified.

An inside job?

Google’s support documents for Google+ Local pages state that edits made by business owners and other users will be reviewed prior to publishing for “quality”. Google also states that:

“Our systems may also update your business information based on other data sources or reports from our users, if that information appears to be more up-to-date and accurate for your business.”

Google did not respond to requests to explain whether the review system for edits is automated, conducted by people or a mixture of both. A failure on this scale could indicate that an automated system had been gamed into allowing the hijacks, or that a human had either accidentally or deliberately approved the URL changes.

But the scale of the changes has sparked allegations of an inside job.

“My prediction is, this was an inside job with someone at Google. Not to be a conspiracy theorist, but any and all modified URLs have to be okay'ed by a Maps moderator. No one is dumb enough to believe the official URL of a hotel lives on roomstobook.info... come on!” said Matthew Hoff of public relations company Merkle, who also discovered modifications made to listings of hotels Merkle represents, in a comment on Sullivan's story.

Google+ Local pages are used to populate search results as well as listings on Google Maps, and therefore a failure like this could have significant knock-on effects for the businesses affected, as well as users unknowingly caught out by the redirect.

Google aware

Google said in a response that it is "aware of the issue and we are working to fix it". It did not respond to questions about whether the changes could have been the result of cooperation by an insider with a third party to approve the revisions.

The search engine has also initiated a cleanup of the affected pages, removing the verified Google+ listings in favour of non-verified but "correct" pages.

• In January, Google enabled a Google+ feature that allows anyone with a Google account to email any user without knowing their email address