Google’s moved quickly to disable a flaw that allowed anybody that felt like it to remove websites from its search index at will.
The problem was uncovered by James Breckenridge, operations director at UK Web Media. He was using Google’s webmaster tools to delete his own websites from Google’s search index, when he accidentally deleted one that was nothing to do with him – and which, he says, belonged to one of the world’s largest websites.
Because Breckenridge had thousands or URLs to remove, he’d decided on a short-cut, making a Chrome extension to add a link next to a result in a Google search, deep-linked into webmaster tools.
“With that installed I was busy clicking away removing the URLs in record time,” he says.
“Then I made a little mistake and accidentally removed a URL of a website I have no relation to! I was stunned it could be that easy.”
Once the request was made, he says, it was inserted as a pending request in the site owners Webmaster Tools account.
“If the request is not cancelled it usually leads to the removal of the site from Google’s index, which is why I think this is probably the biggest vulnerability in Google today and why I am highlighting it here,” he says.
“I can’t believe I am the only person to figure this out, and there are a number of things that could be happening right now if this information is already in the wrong hands.”
Breckenridge had some initial difficulty in reporting the flaw to the right people at Google. However, he says, eventually he succeeded. Seven hours later the flaw was patched.