SEO News

Major Google URL Removal Exploit Found & Resolved

by , Comments

A Google Webmaster Tools user found a security hole that allowed him to delete any web page from Google's index. Luckily, once the exploit was reported, Google had it patched within seven hours.

The "Let's Hack the Index" Exploit

James Breckenridge, a web project manager and SEO, was attempting to remove a large number of URLs from the Google index through the Google Webmaster Tools. Tired of how long the process was taking, he created a quick extension that could generate the submission requests directly from the search engine results page. To his surprise, the extension allowed him to tell Google not to index any page he selected – even if he didn't own it.

How was this possible? To complete the final step of the request not to index a page, Google uses a predictable URL:{YOUR_URL}/&urlt={URL_TO_BLOCK}. By simply changing the target URL segments, via extension or by hand, users could tell Google not to index a site. The request would then move to the pending requests in Google Webmaster Tools and would subsequently be removed from the index.

Breckenridge posted further details on his blog, and included this screenshot:


Google's 7-Hour Response

While Breckenridge later commented that he should have been more discreet in how he addressed the exploit, his approach did seem to get Google's attention. According to an update on Breckenridge's blog post, "This [exploit] was fixed within 7 hours of reporting the problem. Great work by the team at Google to get it fixed and all the URL's removed in this way should now be back in the index."

A Google spokesperson confirmed that the issue had been addressed, and that "The URL removal feature kept detailed records, so we're currently reprocessing earlier removal requests to ensure their validity." In other words, the issue should be completely resolved in the very near future. According to the Google spokesperson, the issue "has shown only a limited impact" despite the simplicity of the hack.

At the end of the day, the biggest item of note here is that something as simple as a modified URL could be used to sabotage a site on the Google index. One has to wonder how many other chinks in the armor Google hasn't yet seen or addressed.

ClickZ Live New York What's New for 2015?
You spoke, we listened! ClickZ Live New York (Mar 30-Apr 1) is back with a brand new streamlined agenda. Don't miss the latest digital marketing tips, tricks and tools that will make you re-think your strategy and revolutionize your marketing campaigns. Super Saver Rates are available now. Register today!

Recommend this story

comments powered by Disqus