Major Google URL Removal Exploit Found & Resolved

A Google Webmaster Tools user found a security hole that allowed him to delete any web page from Google's index. Luckily, once the exploit was reported, Google had it patched within seven hours.

The "Let's Hack the Index" Exploit

James Breckenridge, a web project manager and SEO, was attempting to remove a large number of URLs from the Google index through the Google Webmaster Tools. Tired of how long the process was taking, he created a quick extension that could generate the submission requests directly from the search engine results page. To his surprise, the extension allowed him to tell Google not to index any page he selected – even if he didn't own it.

How was this possible? To complete the final step of the request not to index a page, Google uses a predictable URL: https://www.google.com/webmasters/tools/removals-request?hl=en&siteUrl=http://{YOUR_URL}/&urlt={URL_TO_BLOCK}. By simply changing the target URL segments, via extension or by hand, users could tell Google not to index a site. The request would then move to the pending requests in Google Webmaster Tools and would subsequently be removed from the index.

Breckenridge posted further details on his blog, and included this screenshot:

google-webmaster-tools-remove-website-from-google

Google's 7-Hour Response

While Breckenridge later commented that he should have been more discreet in how he addressed the exploit, his approach did seem to get Google's attention. According to an update on Breckenridge's blog post, "This [exploit] was fixed within 7 hours of reporting the problem. Great work by the team at Google to get it fixed and all the URL's removed in this way should now be back in the index."

A Google spokesperson confirmed that the issue had been addressed, and that "The URL removal feature kept detailed records, so we're currently reprocessing earlier removal requests to ensure their validity." In other words, the issue should be completely resolved in the very near future. According to the Google spokesperson, the issue "has shown only a limited impact" despite the simplicity of the hack.

At the end of the day, the biggest item of note here is that something as simple as a modified URL could be used to sabotage a site on the Google index. One has to wonder how many other chinks in the armor Google hasn't yet seen or addressed.