Forgot your password?
typodupeerror
Google Technology

Google Plugs Hole That Lets You Remove Any Website 116

Posted by CmdrTaco
from the yeah-we-uhh-meant-to-do-that dept.
blowdart writes "Google today disabled their webmaster tools after it was discovered that anyone could use the tool to remove any site from the google index. The exploit was pretty simple, all anyone had to do was to have a google webmasters tool account and edit a query string parameter on a valid removal to point to a domain they didn't own!"
This discussion has been archived. No new comments can be posted.

Google Plugs Hole That Lets You Remove Any Website

Comments Filter:
  • I really wish... (Score:5, Insightful)

    by Anonymous Coward on Wednesday July 20, 2011 @11:02AM (#36823750)
    this hole was open long enough for someone to remove Expert Exchange & all the other BS...
    • Re: (Score:3, Funny)

      by Anonymous Coward

      What!?!? Would you rather your sex change be done by an amateur?

      • Hehe...

        But, seriously, has anyone an appropriate site to put after the RewriteCond %{HTTP_REFERER} experts-exchange.com in my apache config...?

        Preferably something which has still expertsexchange somewhere in its URL, but with lots of pictures of scantily clad ladies (which once were lads...) in it?

        • I've not used Google for a while, but I seem to still have these lines in my user CSS:

          li h3 a[HREF*="http://www.experts-exchange.com/"] {display : none ! important }
          A[HREF*="http://www.experts-exchange.com/"]:after { content: " [IDIOT WARNING]"!important ; color: red }

          The first hides expert sexchange links from Google search results, the second flags them with a red idiot warning if they appear elsewhere, so I don't accidentally click on them.

    • by fbjon (692006)

      this hole was open long enough for someone to remove Expert Exchange & all the other BS...

      What's wrong with EE? At least you can find some help there. What really needs to go is the endless product search engines, all proclaiming "be the first to write a review!".

      • by Ksevio (865461)
        How about the several pages of ads mixed in with the useful results? Or the blocking of answers (on pages where just the question gets matched)?
        • by OverlordQ (264228)

          They dont block answers, scroll down past all the crap.

          • Only if you've clicked through directly from a Google search result page

          • by Ksevio (865461)
            They sometimes block the answers if google picks up a page with just the question. It doesn't violate the rules because it shows the same page to google and other visitors, but there isn't useful information beyond the question.
        • Adblock+ and scroll down to the bottom. Simple solutions.
          • by doccus (2020662)
            I first joined EE when it was a normal question/answer site I didn't even know they'd gone paywalled unti i tried to log in 10 years later or so (last year i think... At the time i needed something better (*anything* actually ) than Computing net. i actually needed answers.. Oh and PPS to the previous poster.. mine really DOES go up to 11.. It came from Jim Marshall's shop that way.. for real!
        • create a bookmark called "goognoreviews" with the following: javascript:sURL='http://www.google.co.uk';sTerm=prompt('Enter%20a%20Google%20search%20term','');if(sTerm!=null){void(document.location=sURL+'/search?q='+encodeURIComponent(sTerm)+"+-inurl:(kelkoo|bizrate|pixmania|dealtime|pricerunner|dooyoo|pricegrabber|pricewatch|resellerratings|ebay|shopbot|comparestoreprices|ciao|unbeatable|shopping|epinions|nextag|buy|bestwebbuys)")}else{void(document.location)}
        • Er, if you want answers, all you have to do is google the question being answered, and click thru from google, then scroll all the way to the bottom. By Google's TOS, you cannot present different information to the google search engine than you present to someone coming from Google, so its not even likely to be blocked, nor do I feel bad about it-- it is the price of being indexed on Google.

          I mean, they can present ads that try to make you feel bad, and make it obnoxious to get to the info, but if anyone i

          • by Ksevio (865461)
            If you google the question, sometimes google will pick up a page with only the question and no answers.
      • The BS that they pull in trying to hid the solution to get you to pay. Granted you usually just need to scroll to the bottom, or use the Google cache of it. But they do some dodgy things. I would prefer the product search engines go before ExpertsExchange since you are correct there is some value to ExpertsExchange. Also on the list of things that should go are those sites that republish others content as their own they are by far the worst.
      • At least you can find some help there.

        Try StackExchange [stackexchange.com].

        • Stack's gotten a lot worse with popularity and the newer sites on stack exchange range from okay to ghost towns. While sometimes you get a great set of answers, more often than not you get a horde of people editing your question into something different just so they can earn the boy scout badges and rep. There's plenty of garbage floating around there now.
    • Re:I really wish... (Score:5, Informative)

      by RedACE7500 (904963) on Wednesday July 20, 2011 @11:12AM (#36823908)

      1. Log in to your Google Account
      2. Search for Experts Exchange
      3. Click on the result for Experts Exchange
      4. Press Back on your browser
      5. Click "Block all www.experts-exchange.com results"

    • Expert Exchange is annoying because of how it's page ranked. But the site does offer solutions to those strange one-off technical issues. I don't mind the fact it's a paid subscription as it keeps the trolls out, but I'm sure as hell not going to spend 12 bucks a month (or 100 a year) some a service I would rarely use. OTOH, maybe I can get my company to purchase a subscription for all of us in the office. Hmmm

      • by PRMan (959735)
        Just scroll all the way to the bottom. The answers are there. I find expertsexchange.com to be very useful...
    • by rumith (983060)
      Use the Personal Blocklist [google.com] Chrome extension to remove ExEx from Google search just for you. Also, it's quite amazing that you still get it high in your result, I mostly get StackOverflow at the top (as it should be).
      • Seconded. I use it to block w3schools and sexchange sites. Perhaps someone should do an intervention a la w3fools [w3fools.com]...
  • by esocid (946821) on Wednesday July 20, 2011 @11:07AM (#36823830) Journal
    /. was already removed from the internet. That's why no one is commenting.
    Come to think of it, how did I get here? Where am I? I'm old.
  • Obligatory XKCD [xkcd.com]
    • Re:Bobby tables (Score:4, Informative)

      by Shikaku (1129753) on Wednesday July 20, 2011 @11:12AM (#36823912)

      http://bobby-tables.com/ [bobby-tables.com] Obligatory response.

      • That was fast. Someone mod parent informative.
        • by fuzzytv (2108482)

          The bug in webmaster tools has nothing to do with SQL injection, so although I like XKCD the two posts are quite irrelevant.

          • by Nadaka (224565)

            They are both inserting unexpected data into an unverified field. The only difference is that with SQL injection you are inserting sql to do what you want instead of just data.

            • by fuzzytv (2108482)

              Well, many attacks are based on unexpected values (if the developer expected that and it fails, he's a bit stupid). I was just pointing out this is not exactly SQL injection - the difference is that in this case there was a piece of business logic missing (check that the user is authorized to do that) and in case of SQL injection it's a failure at much lower level (data access).

              Anyway, let's not argue about this and let's read some old XKCD strips we've already forgotten.

    • Lol. Excellent choice of comics you have there
  • Well, this is pretty bad, though I imagine it probably happened because one webmaster could control multiple domains that look dissimilar, and they forgot to add checks to make sure that the webmaster really controlled the requested one. Oops. Nowhere near as bad as this [slashdot.org], which was simple gross, heads-should-roll, incompetence, but still a pretty big mistake. Kinda sad that address bar "hacks" still work in this day and age. Especially at a company like Google.

    Looks like the removal isn't permanent, eithe

    • At least we know a whole different group of people put together Google+ and it's totally secure...
  • by CCarrot (1562079) on Wednesday July 20, 2011 @11:21AM (#36824044)

    What if someone used this exploit to remove Google.com? Then my parents couldn't enter 'google' in the white box (Google homepage) to get to 'the internet'!

    Agh. I think my head exploded.

    • by idontgno (624372)

      My head already apslode from the thought of needing Google to get to Google.

      • by yanyan (302849)

        Yo dawg i herd you like searching so i put a google in your google so you can search while you search.

      • by Bucky24 (1943328)
        I had a girlfriend once who did this. She would type "google.com" into the google search bar at the top of her browser (firefox) to get to google so she could run searches. Drove me crazy.
    • I can't remember how many times I've tried to explain to various family members the differences between the two boxes in the title bar. It's a lot, that's for sure.

      They never seem to get it, and perpetually type URLs into the search box.

      • One more hint at that introducing the search box was an error. After all, you can do everything from the URL bar which you can do from there.

        • by Canazza (1428553)

          That's nothing, I know people who type google.com into the address bar, THEN type URLs into the google search box.

          • by KiloByte (825081)

            Well, that's better than Google's typo-jacking that sadly got into most browsers. I have that misfeature disabled -- to do a search, I type "g furry squid porn" (the default Firefox config has it on "google" which might be good enough for most, I shortened it to "g").

          • by CCarrot (1562079)

            That's nothing, I know people who type google.com into the address bar, THEN type URLs into the google search box.

            Oh? You know my parents? What a small world!

            (Oh, wait, I set up Google as their homepage, so I guess they usually skip the first part...)

      • Use chrome then..

        Even in Firefox, the address bar acts as a search bar if you dont enter a website address

    • by bonch (38532) *

      No worries. Google hard-codes its services to appear on the results page like a good monopoly should.

  • The author of this 'xploit' would have gotten more attention from Google if he tried removing 'google.com' and some other domains that belong to the company.

    I think this is the closest one could get to breaking the Internet [youtube.com] by 'typing google into google'.

  • by popo (107611)

    One wonders if Google can trace anyone who has previously used this technique to remove competitors from the index.

    It would be fascinating to see just who has been a bad boy.

  • With the security hole plugged, people who wish to remove their erroneous information online will need to use paid service such as Reputation Defender. I bet how much did RD paid to Google to get this fixed?

  • So then if somebody used this exploit to remove sites from Google, does that mean they'll mysteriously disappear from Bing?

    =)

Happiness is a positive cash flow.

Working...