Fixed: Remove Any Site From Google (even if you don’t control it)

by James on July 19, 2011

UPDATE: It would seem Google is looking into this right now, which is great. The sole reason I posted this was to get the issue patched, I couldn’t find a method of contacting Google or reporting this directly and maybe naively thought this would generate the most gravitas.

UPDATE 2: This was fixed within 7 hours of reporting the problem. Great work by the team at Google to get it fixed and all the URL’s removed in this way should now be back in the index.

This is my first post so I thought I should make it a good one, I hope you enjoy reading it as much as I have writing it.

Yesterday I was busy removing thousands of URL’s from within Googles Webmaster Tools, it was pretty time consuming as there were so many, there had to be an easier way? I settled on quickly making myself a chrome extension that adds a link next to a result in a Google search, deep linked into webmaster tools. With that installed I was busy clicking away removing the URL’s in record time.

Then I made a little mistake and accidentally removed a URL of a website I have no relation to?!? I was stunned it could be that easy. Surely there was no way Google would actually remove the page, right?

I decided to dig a little deeper and do a few tests to see how powerful this could potentially be and how wrong was I! These are the tests I performed, some of which I do not have screenshots for as I really didn’t think it would actually work.

The Tests

  1. Remove a website I control (not in my webmaster tools account) on 18/07/2011 – Gone!
  2. Remove a URL on one of the world’s largest websites (the accident) on 18/07/2011 – Gone!
  3. Remove a friends blog (blank and with permission) on 18/07/2011 – Gone!

NB: On none of the tests were the pages blocked by robots or returned a 404 response (apparently a prerequisite for removal)

How To Do It (please don’t and hopefully Google will patch it soon)

Disclaimer: If you are going to test this please make sure you have permission from the site owner, otherwise although it is a loophole I am pretty sure it is illegal.

The process is actually very simple and just requires some minor modifications to a URL, followed by a form submission. Edit the following URL:

https://www.google.com/webmasters/tools/removals-request?hl=en&siteUrl=http://{YOUR_URL}/&urlt={URL_TO_BLOCK}

Replace in the URL above:

  • {YOUR_URL} = A URL you control within Webmaster Tools
  • {URL_TO_BLOCK} = The URL of the site you want to block:
    • You can request removal of the following:
      • Site – Provide top level domain (E.g. http://www.someurl.com/)
      • Section – Provide URL of the folder (E.g. http://www.someurl.com/somefolder/)
      • Page – Provide URL of the page (E.g. http://www.someurl.com/somefolder/somepage.html)

If you request the modified URL in your browser (make sure you are logged in to your Google account) you should see:

I didn’t actually remove the News Of The World by the way, News International have done quite a good job of that themselves. If you do actually  click the Submit Request button, you should see the following:

It then gets inserted as a Pending request in the site owners Webmaster Tools account. If the request is not cancelled it usually leads to the removal of the site from Google’s index which is why I think this is probably the biggest vulnerability in Google today and why I am highlighting it here. I can’t believe I am the only person to figure this out and there are a number of things that could be happening right now if this information is already in the wrong hands.

Thankfully, there is a time delay from when the request is made to when it is actually processed. The only reason I am happy to highlight this here whilst it is still possible, is because it should be so easy for them to fix (and should have never been possible in the first place).

I have tried to forward this on to Google in the hope that they fix it, but if anyone can pass it to the correct person that would be great. If someone from Google could email me, I also want to let you know the URL of the site I accidentally removed so you can remove the removal request for that URL.

{ 126 comments… read them below or add one }

anonymous July 20, 2011 at 10:41 am

imagine automating this attack!

Keyvan July 20, 2011 at 11:46 am

You should have tried removing google.com lol

Burak Erdem July 20, 2011 at 12:31 pm

@James Nice finding but you would send an email to security@google.com as described here; http://www.google.com/about/corporate/company/security.html#section-reporting-issues. Maybe you would find a way into the Google Security Hall of Fame http://www.google.com/intl/en/about/corporate/company/halloffame.html :)

I hope Google will fix this very soon.

Vincent July 20, 2011 at 12:46 pm

It seems that it don’t work anymore. Thanks

musselburgh taxi July 20, 2011 at 12:48 pm

What a great first post, just a pity google are investigating or people could have had a lot of fun!

musselburgh taxi July 20, 2011 at 12:50 pm

great post lol, bye bye competitioers

Mihai July 20, 2011 at 12:50 pm

looks like its patched

Sam C July 20, 2011 at 12:53 pm

Haha, I couldn’t help smiling… I think News of the World probably wish they could have made themselves vanish into thin air at the push of a button… Would have been so much easier! :)

sad July 20, 2011 at 1:14 pm

Fun! But … why didn’t you report it to Google’s vulnerability reward program (http://www.google.com/about/corporate/company/security.html) ? Maybe worth some cash :-)

Marciano July 20, 2011 at 1:23 pm

I’m really surprised your site is still in the Google index. When I once posted a critical article about Google my weblog (blogspot) was removed from the index within 15 minutes.

Chris July 20, 2011 at 1:29 pm

You could have been a millionaire.

Billy Bragg July 20, 2011 at 1:54 pm

Hoax.
Internet meme

black-jack July 20, 2011 at 2:06 pm

Damn! doesn’t work anymore!

seoprogrammierer July 20, 2011 at 2:13 pm

hehe unfortunatly i read this post to late. But…maybe only a linkbait?
Whatever, linkbait or not congrats to your first post, it was very good!!

Tyson July 20, 2011 at 2:29 pm

Breckenridge……. you dark horse!

Saint D July 20, 2011 at 2:32 pm

I thought ‘Google’ of all, cant have a costly loop hole like this let alone being hacked…crazy funny!

Diane July 20, 2011 at 2:34 pm

I read this through and thought you must be joking, but I checked the date and it’s not April 1st.
Wow. That’s a bit of a slip up. I’m not going to go and test it because that’d just be mean.

seowebguy July 20, 2011 at 3:30 pm

You probably aren’t the first person to figure this out, just the first one to publish a detailed article about it like this. Kudos, let’s hope Google does something about this NOW

Donny July 20, 2011 at 3:32 pm

Google should pay you like a $50,000 consulting fee for the free help!

Dylan Darling July 20, 2011 at 3:57 pm

Wow… Crazy. It looks like they’ve fixed, or are fixing it now. I can’t believe you’re the first to find this! It will be interesting to see if they do some kind of investigation and find out if people were abusing this feature.

Heinrich July 20, 2011 at 4:01 pm

Tested this on a site I own, getting an error message, so hopefully Big G already plugged this. I immediately checked all of my rankings to make sure someone didn’t sink my battleship.

Goldie July 20, 2011 at 4:04 pm

How come I am always the last to know :(

morgauxo July 20, 2011 at 4:40 pm

>> “I think it wont’t work if the page doesn’t blocked by robots.txt or doesn’t provide 404 status code…”

Why would a site with a robots.txt be in the index in the first place?

Earl Grey July 20, 2011 at 4:45 pm

I just say this on slashdot and nearly had a heart attack.

This was my post from 2007 about a flaw i found in google webmaster site removal tool.
https://www.syndk8.com/blog/earlgrey/major-google-security-flaw-to-remove-sites-from-the-index-000987.html
So bizarre to be reading another similar flaw in 2007 with a similar title.

Someone July 20, 2011 at 4:45 pm

If you’re looking to report security bugs to Google, just e-mail security@google.com; if you’d done that you’d probably be $3133.70 richer shortly.

matt July 20, 2011 at 5:09 pm

Class in a glass, I’m just happy that your a honest person. Thanks Mate.

Philipp July 20, 2011 at 5:34 pm

Excellent post! One more subscriber right now.

Jeevs July 20, 2011 at 5:48 pm

Holy s#it!!! You are the man buddy…kudos to you ;)

Brent July 20, 2011 at 5:55 pm

Unfotrunately, Google is developing the same problem that large companies like Microsoft have: there’s almost no way to actually contact a real person. When you refuse to listen to your users, you deserve it when stuff like this happens.

Meat Media July 20, 2011 at 6:35 pm

Can’t believe Google have left a hole like this. I swear they really hate webmasters..

jswebschmiede July 20, 2011 at 6:47 pm

Hallo,
bullshit.

Nick July 20, 2011 at 7:20 pm

Interesting article!

How sure are you that this isn’t just removing these sites from YOUR search results, and not from the entire index…?

Pedro July 20, 2011 at 7:27 pm

This kind of bug is too embarrassing. Google have been extremely cautious releasing new products and changing long habits. It’s no coincidence that such embarrassing errors start to occur at a time when google totally opens the gates to a massive flod of new products, features, redesigns, etc. They are starting to look less rock solid than they once did.
G+ might be a desperate attempt. Honestly, I think they would be better of doing what they always did the right way instead of trying to fire in all directions.
Granted google webmasters tools is rather old, but still.

allforJesse July 20, 2011 at 7:35 pm

When this post dropped, a race began between the black hats and Google’s cleanup team. I wonder 1) how much damage was done and 2) how many people were quietly using this technique for weeks or months before James in his wisdom discovered it and reported it.

Canuteson July 20, 2011 at 7:41 pm

SEO Blackhats rejoice.

Trod July 20, 2011 at 8:01 pm

I’m surprised no one has removed FB, MS, Apple, or other site given this knowledge.

tomniuc July 20, 2011 at 8:31 pm

U’d get sue dude…

Ajeet Khurana July 20, 2011 at 8:37 pm

Wow James! I am amazed that this is even possible. I am tempted to test this, but that would not be right. Let’s hope I can continue to resist the temptation :)

Scott July 20, 2011 at 9:00 pm

You have to wonder how many others have discovered this and not publicly shared it, and perhaps even used it against competitors with a fake WMT account!
Great find, and I even see Google has now temporarily disabled the ability to “remove URL’s” altogether because of your find. This will be a tough one to top… good luck!

Piyush July 20, 2011 at 9:25 pm

Wow, that is intense. Great finding. Have they fixed it yet James?

Mamun July 20, 2011 at 9:30 pm

Hmm! Are you sure it really removed the link from the SERP? I thought it takes around 48 hours after submitting a request for removal

albino July 20, 2011 at 9:52 pm

Nice. You could’ve got a security bug bounty for that…

Owen Gerrard July 20, 2011 at 10:15 pm

Amazing, Jimbo. Worryingly this means we’re going to have to start listening to you at work now when you start talking otherwise apparently crazy stuff at work!!?? ;)

Zeeshan Ali July 20, 2011 at 10:42 pm

Pass it to Matt Cutts the official Google spokesman for Google Search…

george July 21, 2011 at 1:05 am

You realize you could have made millions of dollars with this, right? now you’ll have to suffice with a shitty blog post that is already irrelevant.

I’d say pure brilliance on your part.

Neil Coffey July 21, 2011 at 1:30 am

Does anyone have confirmation from Google that this is for real and is there a statement from them? If it is for real, it would be quite a serious security loophole, but I assume it would be easy enough for Google to identify any offending removes and reverse them.

Zuckerberg July 21, 2011 at 1:31 am

Hi James,

you were sitting on millions of dollars and burned it with this post.

You are something like Jesus, but I would have taken the millions with my own #1 google rankings.

Afnan July 21, 2011 at 3:13 am

Google is BUGGY. I don’t trust them.
Google Webmaster team should get retirement now.

Really a Good QA audit.

Shankar bakshi @ netprofitmantra.com July 21, 2011 at 4:08 am

The competition is over, can’t believe Google was that easy to hack.

Ragnar Schierholz July 21, 2011 at 7:12 am

Interesting find indeed… but why was it so hard to find a proper contact at Google to submit this to? A little search for “Google Vulnerability Reporting” shows the Google product security page as the first hit (at least for me) – where you find an e-mail (security@google.com – that one would have been a reasonable guess even) and a link to a contacts page. When typing “Google Vulnerability Re” with instant search on, Google auto-completed for me to “Google Vulnerability Reward Program” which has even more details on how to report a vulnerability and how to be rewarded for that reporting.

No offense, but I think you could have reported this easily following the responsible disclosure process…

Leave a Comment

{ 1 trackback }

Next post: