Easy Hack Allowed Anybody to Remove Domains From Google's Index

Google’s Webmaster Tools are a collection of handy utilities for website owners to check how Google sees their sites, report moved sites and check on search engines stats for their domains. Today, however, UK-based developers James Breckenridge also found a way to use this tool to remove any domain from Google’s index with just a simple copy and paste hack. Google is already blocking this attack, so while you may be able to think of a few sites you don’t want Google to ever find again (either yours or others), it’s now too late to use this exploit.

Here is how Breckenridge explained the hack:

The process was actually very simple and just required some minor modifications to a URL, followed by a form submission.

Edit the following URL:

https://www.google.com/webmasters/tools/removals-request?hl=en&siteUrl=http://{YOUR_URL}/&urlt={URL_TO_BLOCK}

Replace in the URL above: [list]

  • {YOUR_URL} = A URL you control within Webmaster Tools
  • {URL_TO_BLOCK} = The URL of the site you want to block:
    • You can request removal of the following:
      • Site – Provide top level domain (E.g. http://www.someurl.com/)
      • Section – Provide URL of the folder (E.g. http://www.someurl.com/somefolder/)
      • Page – Provide URL of the page (E.g. http://www.someurl.com/somefolder/somepage.html) [/list]

Given the importance of having your site listed in Google’s index, it is surprising that a massive issue like this went undetected for a potentially very long time. It’s not clear if anybody else had already found and exploited this issue before Breckenridge reported it, but given how easy this hack was, I wouldn’t be surprised.