Easy Hack Allowed Anybody to Remove Domains From Google's Index
Google’s Webmaster Tools are a collection of handy utilities for website owners to check how Google sees their sites, report moved sites and check on search engines stats for their domains. Today, however, UK-based developers James Breckenridge also found a way to use this tool to remove any domain from Google’s index with just a simple copy and paste hack. Google is already blocking this attack, so while you may be able to think of a few sites you don’t want Google to ever find again (either yours or others), it’s now too late to use this exploit.
Here is how Breckenridge explained the hack:
The process was actually very simple and just required some minor modifications to a URL, followed by a form submission.
Edit the following URL:
https://www.google.com/webmasters/tools/removals-request?hl=en&siteUrl=http://{YOUR_URL}/&urlt={URL_TO_BLOCK}
Replace in the URL above: [list]
- {YOUR_URL} = A URL you control within Webmaster Tools
- {URL_TO_BLOCK} = The URL of the site you want to block:
- You can request removal of the following:
- Site – Provide top level domain (E.g. http://www.someurl.com/)
- Section – Provide URL of the folder (E.g. http://www.someurl.com/somefolder/)
- Page – Provide URL of the page (E.g. http://www.someurl.com/somefolder/somepage.html) [/list]
- You can request removal of the following:
Given the importance of having your site listed in Google’s index, it is surprising that a massive issue like this went undetected for a potentially very long time. It’s not clear if anybody else had already found and exploited this issue before Breckenridge reported it, but given how easy this hack was, I wouldn’t be surprised.
