Google withdraws URL removal option after delisting flaw discovered

According to James Breckenridge, operations manager with UK Web Media, he was recently busy removing thousands of URLs from within Google's webmaster tools feature and, after developing a Chrome extension to automate the process, he was able to input the required URLs to be removed in a simple list.

"Then I made a little mistake and accidentally removed a URL of a website I have no relation to, I was stunned it could be that easy. Surely there was no way Google would actually remove the page, right", he says in his latest blog.

"I decided to dig a little deeper and do a few tests to see how powerful this could potentially be and how wrong was I. These are the tests I performed, some of which I do not have screenshots for as I really didn't think it would actually work:

The Tests

Remove a website I control (not in my webmaster tools account) on 18/07/2011 - Gone!

Remove a URL on one of the world’s largest websites (the accident) on 18/07/2011 - Gone!

Remove a friends blog (blank and with permission) on 18/07/2011 - Gone!

Although Infosecurity notes that Google has now removed the option and is in the process of fixing the flaw, Breckenridge says that the process was quite simple and requires some minor modifications to a URL, followed by a form submission.

After submitting the URL string, the operations manager said the data is inserted as a pending request in the site owner's Webmaster Tools account.

"If the request is not cancelled it usually leads to the removal of the site from Google's index which is why I think this is probably the biggest vulnerability in Google today and why I am highlighting it here", he says.

"I can't believe I am the only person to figure this out and there are a number of things that could be happening right now if this information is already in the wrong hands", he adds.

After notifying Google of the problem, Breckenridge reports that the option was removed within seven hours of his reporting the issue.

"Great work by the team at Google to get it fixed and all the URL's removed in this way should now be back in the index", he said.


What’s Hot on Infosecurity Magazine?