Google Plugs Hole That Lets You Remove Any Website

blowdart writes "Google today disabled their webmaster tools after it was discovered that anyone could use the tool to remove any site from the google index. The exploit was pretty simple, all anyone had to do was to have a google webmasters tool account and edit a query string parameter on a valid removal to point to a domain they didn't own!"

I really wish...

[Anonymous Coward]

this hole was open long enough for someone to remove Expert Exchange & all the other BS...

Re:

[Anonymous Coward]

He, Expert Exchange is ok. Just look into the source code or the cached page and you will find the answers without paying :)

It's easier than that... just scroll down!

Re:

[El Lobo]

No need to do that. Just scroll the page 3 miles down. There are the answers.

Re:

[IAmGarethAdams]

Only if you've clicked through from a Google search result

Re:

[Flyerman]

I believe the complaint originated at Experts Exchange showing up in google search results.

Re:

[IAmGarethAdams]

Yes, a common suggestion is that Experts Exchange *aren't* playing the system because the answers are there if you scroll down.

I was pointing out that they *are* playing the system because the answers are *only* visible after clicking through from a Google search result. Try finding a page where the answer is at the bottom, and copy the URL into a new tab/window/browser. Abracadabra! The answer disappears!

Experts Exchange is just another paywalled site at the end of the day, but they use dodgy practices to

Re:

[Flyerman]

No shit! They show google the answer in exchange for showing up in search results. Google requires them to not hide the answers when people click through the results. Why would they show you the answer if you didn't click through the results?

It's not dodgy, and yeah, they're just another paywall.

Re:

[IAmGarethAdams]

I realise they're just another paywall, I even said as much myself [slashdot.org] already.

But it's still dodgy - even the page which has the answer at the bottom strongly hints that you need to "Subscribe now" to get "Instant Access to this Solution". I don't have problems with paywalls but this is an extra level of deviousness.

Re:

[inject_hotmail.com]

Only if you've clicked through from a Google search result

It works from Yahoo as well...it must be the referrer...because it doesn't work from, say, startpage.com...

I could see Yahoo and Google saying to Experts-Exchange: "Hey, we like it when people use our engine over any else's...we'll shoot you some cash if you let is read your answers...

Re:

[jason1178]

Nah, it's just the requirements of the search engines that visitors from the search engine see what the search engine sees. If you try to come in without that, you will see the paywall. Folks have to make money...big web sites aren't free to run anymore.

Re:

[inject_hotmail.com]

Nah, it's just the requirements of the search engines that visitors from the search engine see what the search engine sees. If you try to come in without that, you will see the paywall. Folks have to make money...big web sites aren't free to run anymore.

So you mean to say that Yahoo is telling Experts-Exchange to open up their pay wall just so that Experts-Exchange doesn't get removed from Yahoo's search index? That doesn't really make sense...because then Experts-Exchange would simply not show "answers" to the search engine's spider (which would be the default behaviour of any pay wall).

I can't imagine Experts-Exchange would bend to Google or Yahoo in such a way...I do, however, believe that Yahoo would want users to use their engine to search Experts-

Re:

[jason1178]

It's Google's requirement under "First Click Free" that if coming from Google, you have to be able to see the full content of the page. If not, it's cloaking and bad things happen. Yahoo uses Bing and I'm pretty sure Bing is copying all Google policies down the letter :)

So?

[bigsexyjoe]

Stackoverflow still gives you better answers. I see no reason to even get their answers for free.

By the way, google should remove experts exchange, they give the googlebot the answer but try to hide from regular users.

Re:

[delinear]

I never understood that - Google made such a big deal about not showing different content to the bot than you do to users (to the extent that they banned high profile sites like BMW's .de site) and yet ExpertSexchange (which is how I always read it, anyhoo) are still around when their entire business model seems to be gaming the system.

Re:

[_0xd0ad]

They DO give the same content to the user as they give to Googlebot - as long as the user is coming from Google, which is all Google really cares about.

Of course, it's really not that hard to forge the referer header [mozilla.org]...

Re:

[Riceballsan]

EE dosn't show different information to the bot then the users, the bot just views things differently. Both the user and the bot have to scroll down past the huge block of nothingness to get to the answers, the difference is the bot tends to only focus on and highlight the relevant information, while the user tends to skim over the "please pay now" buttons and stop. Yes if you aren't getting to the page from a google link, the solutions aren't hidden at the bottom, but that isn't googles concern, anything o

Re:

[bhtooefr]

Well, there is always changing the rules to react to the violation of the spirit...

Re:

[jason1178]

How is it cheating? At least they will display the answer. Try getting a recipe from Cooks Illustrated or something from Consumer Reports.

Re:

[jason1178]

There's a whole discussion right about you that pretty much explains why this isn't the case.

Re:

[Anonymous Coward]

What!?!? Would you rather your sex change be done by an amateur?

Re:

[ArsenneLupin]

Hehe...

But, seriously, has anyone an appropriate site to put after the RewriteCond %{HTTP_REFERER} experts-exchange.com in my apache config...?

Preferably something which has still expertsexchange somewhere in its URL, but with lots of pictures of scantily clad ladies (which once were lads...) in it?

Re:

[TheRaven64]

I've not used Google for a while, but I seem to still have these lines in my user CSS:

li h3 a[HREF*="http://www.experts-exchange.com/"] {display : none ! important }
A[HREF*="http://www.experts-exchange.com/"]:after { content: " [IDIOT WARNING]"!important ; color: red }

The first hides expert sexchange links from Google search results, the second flags them with a red idiot warning if they appear elsewhere, so I don't accidentally click on them.

Re:

[fbjon]

this hole was open long enough for someone to remove Expert Exchange & all the other BS...

What's wrong with EE? At least you can find some help there. What really needs to go is the endless product search engines, all proclaiming "be the first to write a review!".

Re:

[Ksevio]

How about the several pages of ads mixed in with the useful results? Or the blocking of answers (on pages where just the question gets matched)?

Re:

[OverlordQ]

They dont block answers, scroll down past all the crap.

Re:

[IAmGarethAdams]

Technically they don't break any of Google's rules. Google's First Click Free [blogspot.com] initiative is designed to allow paywalled content to be crawled and indexable, subject (among other things) to guidelines like:

- All users who click a Google search result to arrive at your site should be allowed to see the full text of the content they're trying to access.
- The page displayed to all users who visit from Google must be identical to the content that is shown to Googlebot.

Now, these are true for EE, but the page whi

Re:

[IAmGarethAdams]

Only if you've clicked through directly from a Google search result page

Re:

[Ksevio]

They sometimes block the answers if google picks up a page with just the question. It doesn't violate the rules because it shows the same page to google and other visitors, but there isn't useful information beyond the question.

Re:

[Mister Whirly]

Adblock+ and scroll down to the bottom. Simple solutions.

Re:

[doccus]

I first joined EE when it was a normal question/answer site I didn't even know they'd gone paywalled unti i tried to log in 10 years later or so (last year i think... At the time i needed something better (*anything* actually ) than Computing net. i actually needed answers.. Oh and PPS to the previous poster.. mine really DOES go up to 11.. It came from Jim Marshall's shop that way.. for real!

Re:

[speculatrix]

create a bookmark called "goognoreviews" with the following: javascript:sURL='http://www.google.co.uk';sTerm=prompt('Enter%20a%20Google%20search%20term','');if(sTerm!=null){void(document.location=sURL+'/search?q='+encodeURIComponent(sTerm)+"+-inurl:(kelkoo|bizrate|pixmania|dealtime|pricerunner|dooyoo|pricegrabber|pricewatch|resellerratings|ebay|shopbot|comparestoreprices|ciao|unbeatable|shopping|epinions|nextag|buy|bestwebbuys)")}else{void(document.location)}

Re:

[LordLimecat]

Er, if you want answers, all you have to do is google the question being answered, and click thru from google, then scroll all the way to the bottom. By Google's TOS, you cannot present different information to the google search engine than you present to someone coming from Google, so its not even likely to be blocked, nor do I feel bad about it-- it is the price of being indexed on Google.

I mean, they can present ads that try to make you feel bad, and make it obnoxious to get to the info, but if anyone i

Re:

[Ksevio]

If you google the question, sometimes google will pick up a page with only the question and no answers.

Re:

[Bob the Super Hamste]

The BS that they pull in trying to hid the solution to get you to pay. Granted you usually just need to scroll to the bottom, or use the Google cache of it. But they do some dodgy things. I would prefer the product search engines go before ExpertsExchange since you are correct there is some value to ExpertsExchange. Also on the list of things that should go are those sites that republish others content as their own they are by far the worst.

Re:

[Robert Zenz]

At least you can find some help there.

Try StackExchange [stackexchange.com].

Re:

[jason1178]

Stack's gotten a lot worse with popularity and the newer sites on stack exchange range from okay to ghost towns. While sometimes you get a great set of answers, more often than not you get a horde of people editing your question into something different just so they can earn the boy scout badges and rep. There's plenty of garbage floating around there now.

Re:I really wish...

[RedACE7500]

1. Log in to your Google Account
2. Search for Experts Exchange
3. Click on the result for Experts Exchange
4. Press Back on your browser
5. Click "Block all www.experts-exchange.com results"

Re:I really wish...

[RedACE7500]

Alternatively, manually block sites from your results here: http://www.google.com/reviews/t [google.com]

Re:

[VortexCortex]

Thanks, but I tried that... It turns out that I intentionally don't stay signed in to Google services, so I wrote a userscript for Grease-Monkey instead.

// ==UserScript==
// @name F-Experts-Exchaneg
// @namespace http://userscripts.org/users/useridnumber [userscripts.org]
// @include http://www.google.com/search [google.com]
// ==/UserScript==

var f = 1;
while ( f ) {
var a = document.getElementsByTagName('a');
f = 0;
for ( var i = 0; i < a.length; ++i )
if ( a[i].href.match('experts-exchange.com') ) try {

Re:

[perryizgr8]

there is no "Block all www.experts-exchange.com results" button :(

Re:

[hldn]

http://www.google.com/reviews/t [google.com]

page to manage your blocked sites.

Re:

[Mr. DOS]

Or you could just, y'know, scroll down to the bottom of the page and read the actual replies instead of the fakes at the top of the page...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[PRMan]

Just scroll all the way to the bottom. The answers are there. I find expertsexchange.com to be very useful...

Re:

[rumith]

Use the Personal Blocklist [google.com] Chrome extension to remove ExEx from Google search just for you. Also, it's quite amazing that you still get it high in your result, I mostly get StackOverflow at the top (as it should be).

Re:

[MurukeshM]

Seconded. I use it to block w3schools and sexchange sites. Perhaps someone should do an intervention a la w3fools [w3fools.com]...

Too late

[esocid]

/. was already removed from the internet. That's why no one is commenting.
Come to think of it, how did I get here? Where am I? I'm old.

Re:

[shentino]

You're probably such an old fart by now that you've memorized slashdot's IP address.

Re:

[KiloByte]

You see, most people these days type "facebook login" into Google, but some old geezers still use a thing named "DNS".

Re:

[bigstrat2003]

It really baffles and aggravates me when people do that. It's like they seek out the most idiotic way to do something, and then follow it religiously as if it were the only workable solution.

Re:

[mehrotra.akash]

http://xkcd.com/763/ [xkcd.com]

only one comment possible

[circletimessquare]

http://www.google.com/search?q=picard+facepalm&tbm=isch [google.com]

Bobby tables

[Bob the Super Hamste]

Obligatory XKCD [xkcd.com]

Re:Bobby tables

[Shikaku]

http://bobby-tables.com/ [bobby-tables.com] Obligatory response.

Re:

[Bob the Super Hamste]

That was fast. Someone mod parent informative.

Re:

[fuzzytv]

The bug in webmaster tools has nothing to do with SQL injection, so although I like XKCD the two posts are quite irrelevant.

Re:

[Nadaka]

They are both inserting unexpected data into an unverified field. The only difference is that with SQL injection you are inserting sql to do what you want instead of just data.

Re:

[fuzzytv]

Well, many attacks are based on unexpected values (if the developer expected that and it fails, he's a bit stupid). I was just pointing out this is not exactly SQL injection - the difference is that in this case there was a piece of business logic missing (check that the user is authorized to do that) and in case of SQL injection it's a failure at much lower level (data access).

Anyway, let's not argue about this and let's read some old XKCD strips we've already forgotten.

Re:

[petermgreen]

The problem I see with deniable encryption is that while they can't prove there is more to see you can't prove that there isn't. So if they think the keys you have given them are decoys they will just keep tortuting you until you either reveal further keys or die.

Re:

[nabsltd]

It's called Deniable Encryption

In the real world, deniable encryption means they beat you with the wrench even after you have given them a password that appears to work.

Re:

[LittleBobbyTables]

Lol. Excellent choice of comics you have there

I'm glad people have

[Nethemas the Great]

http://www.supersecurewebsoftware.com/adminPages.aspx?admin=true&customeraccountaccess=true&warmfuzzyfeeling=true [slashdot.org]

Re:

[MacGyver2210]

Yeh, GET requests are not that secure...

Probably an honest mistake

[Baloroth]

Well, this is pretty bad, though I imagine it probably happened because one webmaster could control multiple domains that look dissimilar, and they forgot to add checks to make sure that the webmaster really controlled the requested one. Oops. Nowhere near as bad as this [slashdot.org], which was simple gross, heads-should-roll, incompetence, but still a pretty big mistake. Kinda sad that address bar "hacks" still work in this day and age. Especially at a company like Google.

Looks like the removal isn't permanent, eithe

Re:

[maxwell demon]

A POST is in no way more secure than a GET.
The flaw was to trust user input, plain and simple.

Re:

[Nadaka]

Trust but verify. Verify the crap out of anything you get from the user. Even if its a read only field, even if its a hidden field, even if it is encrypted.

Re:

[Mister Whirly]

This. Rule # 1 for creating anything with user input is - Never trust user input. Always sanitize before submission.

Re:

[AmberBlackCat]

At least we know a whole different group of people put together Google+ and it's totally secure...

Interesting applications possible...

[CCarrot]

What if someone used this exploit to remove Google.com? Then my parents couldn't enter 'google' in the white box (Google homepage) to get to 'the internet'!

Agh. I think my head exploded.

Re:

[idontgno]

My head already apslode from the thought of needing Google to get to Google.

Re:

[yanyan]

Yo dawg i herd you like searching so i put a google in your google so you can search while you search.

Re:

[Bucky24]

I had a girlfriend once who did this. She would type "google.com" into the google search bar at the top of her browser (firefox) to get to google so she could run searches. Drove me crazy.

Re:

[MacGyver2210]

I can't remember how many times I've tried to explain to various family members the differences between the two boxes in the title bar. It's a lot, that's for sure.

They never seem to get it, and perpetually type URLs into the search box.

Re:

[maxwell demon]

One more hint at that introducing the search box was an error. After all, you can do everything from the URL bar which you can do from there.

Re:

[Canazza]

That's nothing, I know people who type google.com into the address bar, THEN type URLs into the google search box.

Re:

[KiloByte]

Well, that's better than Google's typo-jacking that sadly got into most browsers. I have that misfeature disabled -- to do a search, I type "g furry squid porn" (the default Firefox config has it on "google" which might be good enough for most, I shortened it to "g").

Re:

[CCarrot]

That's nothing, I know people who type google.com into the address bar, THEN type URLs into the google search box.

Oh? You know my parents? What a small world!

(Oh, wait, I set up Google as their homepage, so I guess they usually skip the first part...)

Re:

[mehrotra.akash]

Use chrome then..

Even in Firefox, the address bar acts as a search bar if you dont enter a website address

Re:

[bonch]

No worries. Google hard-codes its services to appear on the results page like a good monopoly should.

Re:

[LordLimecat]

http://www.google.com/search?q=photos [google.com]
Thats odd, that doesnt point to picasa at all!

http://www.google.com/search?q=social+networking [google.com]
wait a sec, wikipedia isnt a google product.... whats going on here?

http://www.google.com/search?q=email [google.com]
Wait a second, the top result is a sponsored ad, which DOESNT point to gmail!

Is it possible that youre just utterly wrong?

Re:

[CrackerJack9]

Or were you confused why things with "Google" in their titles are at the top of the list when you search for "Google"?

plug Google into it

[roman_mir]

The author of this 'xploit' would have gotten more attention from Google if he tried removing 'google.com' and some other domains that belong to the company.

I think this is the closest one could get to breaking the Internet [youtube.com] by 'typing google into google'.

History?

[popo]

One wonders if Google can trace anyone who has previously used this technique to remove competitors from the index.

It would be fascinating to see just who has been a bad boy.

Collusion

[Dainsanefh]

With the security hole plugged, people who wish to remove their erroneous information online will need to use paid service such as Reputation Defender. I bet how much did RD paid to Google to get this fixed?

And by proxy...

[Tarlus]

So then if somebody used this exploit to remove sites from Google, does that mean they'll mysteriously disappear from Bing?

=)

Re:

[Tolkien]

.... This hole in Google's code doesn't affect the general availability of your site. It affects whether or not the site is contained in Google's index.

Re:

[fuzzytv]

An awful lot of sites depend on visitors from search engines. No visitors = no business, so if you can block competing sites from the index (and thus from results), your business will be hurt badly.

Re:

[Tolkien]

I understand that. :) The way AC phrased it gives me the impression that they're referring to general availability of the site to the open Internet, not indexability.

Re:

[fuzzytv]

Ooops, I see. Probably an attempt to gain some traffic ...