

Remove any Site From Google (even if you don't control it) - feydr
http://www.jamesbreckenridge.co.uk/remove-any-site-from-google-even-if-you-dont-control-it.html

======
wccrawford
I think it's sad that he had to resort to publicly releasing this exploit
because he couldn't find a way to contact Google about it.

In the past, when I've had problems, I couldn't contact them either. They've
done a great job at making sure there's no human contacts available. You have
to post something in a public forum and hope they'll contact you. (They
won't.)

~~~
ssclafani
Sending an email to security@google.com will result in a quick response. As
part of their bug bounty program Google would have paid $1,000 for this bug if
not more.

~~~
elmomalmo
Hmm, which is more valuable, $1000 or #1 on HN?

~~~
mike-cardwell
$1000

------
staunch
This bug could have been exploited for _millions_ of dollars. Imagine giving a
mafia boss control over the heartbeat of every rival. One blackhat SEO could
have dominated any number of lucrative keywords.

If this bug has existed for a long time it's quite possible some guy is
sailing around on a yacht that this bug paid for.

It's such a blindingly obvious bug that I really do wonder whether this might
have been a backdoor/inside job by an employee. Google should _very_ closely
inspect the code change history.

Hopefully they also maintain a history of all page removal requests to see who
might have been exploiting this.

~~~
cheez
> This bug could have been exploited for millions of dollars.

Quite possibly exploited for non-savvy website owners. Savvy owners would be
checking their ranking regularly and noticing it disappear one day.

Anyone who ranks highly for lucrative keywords and does not check their
ranking is asking to lose it, whether ethically or otherwise.

So I don't think it would have been exploited for the millions you think, but
possibly a good bit of money.

~~~
kragen
> Anyone who ranks highly for lucrative keywords and does not check their
> ranking is asking to lose it, whether ethically or otherwise.

Your ranking is not your responsibility as a webmaster. It's Google's
responsibility to its users to rank good answers highly.

~~~
a5seo
By that logic, your comment being understood isn't your responsibility, it's
the responsibility of your reader.

------
brownie
Despite it being "fixed" not long after the blog post went live, I wonder how
long/how many people knew about this bug. Seems like it would be a great trick
for SEO (build page to certain PR/remove opponents ranking above you)

------
retube
Does this _actually_ work though? You get the message "URL pending for
removal" but does that mean it's really going to be removed? Perhaps this is
just a default response.

Were any non-owned sites/urls actually removed?

------
juliano_q
I don't know how is possible that a so obvious bug passed their quality
department, and I wonder if someone didnt discovered it before and was doing
this to take out competitors indexes..

~~~
DrJokepu
Bugs happen. Even big ones like this. Any engineer worth his money knows that
no amount of Q&A will discover 100% of the bugs. But, as Joel Spolsky said
somewhere, bugs are just bugs, you fix them and then they're fixed.

~~~
juliano_q
I know, I am an engineer and I obviously let bugs pass too. But this is a
little too obvious to me, to check if the user is allowed to remove this url.
Maybe I am neurotic? :)

~~~
dangrossman
I can see having this pass by a reviewer or two. They look and see all of
this:

\- There are permission checks

\- The user has to be logged in to GWT

\- The user has to have access to this page

\- The user has to be the owner of the siteUrl

After all those permission checks, it might appear that everything was
covered. It's just one little omission, verifying that the urlt parameter
corresponds to a page within the siteUrl website, that was missed.

~~~
jpeterson
This is a pretty amateurish mistake, actually, and I'm shocked that it was in
production at Google. Proper authorization checks are web programming 101.

~~~
dangrossman
If you make a checklist of security practices the QA testers should look for,
they'd see and check off "proper authorization checks", as they were done on
other fields of the same page. If you can't imagine a professional making this
mistake, your mental image of an engineer is not realistic. Humans are not
that perfect, and this mistake does not make everyone that reviewed this code
an amateur.

~~~
jpeterson
Well, people are down voting me, but everyone ripped the developers of
Diaspora apart for basically the same exact flaw in an early alpha release of
their system. The Google fanboyism seems to be running strong here.

~~~
carbonica
Those flaws were all over their entire codebase in very basic parts of the
site's functionality. They had _literally zero_ authorization checks.

------
latch
His first blog post...talk about setting high expectations.

------
pbz
Somewhat related: I wish GWT had a "pattern" removal.

With one of my sites, by the time I noticed that certain pages were missing
the "noindex" tag Google happily indexed over 4000 pages. Considering the rate
Google is crawling those pages it may take years to be removed from the index.
Obviously, submitting each link one by one is rather tedious.

Hopefully the author is going to release that extension after Google fixes
this bug. I may actually bother clicking 4K times just to see that site
"fixed"...

~~~
bostonvaulter2
Grrr, google and it's acronym's, I thought GWT stood for Google Web Toolkit
and I was really confused for a second. Instead this GWT stands for Google
Webmaster Tools...

------
ImperatorLunae
<i>otherwise although it is a loophole I am pretty sure it is illegal.</i>

It would <i>seem</i> that this is illegal, but I've never heard of a law
protecting one's right to be listed in a search engine.

Perhaps, if this process requires you to be the owner, it qualifies as fraud?

~~~
dwwoelfel
If you want italics, use asterisks instead of <i></i>'s.

For example,

    
    
        *italic*
    

produces _italic_.

<http://news.ycombinator.com/formatdoc>

~~~
ImperatorLunae
thanks!

------
yaix
I am always amazed how experienced programmers can make such obvious errors
when processing user input. Why would I ask for a URL of the WMT account in
the query string?

I just hope that there is no "for the lulz" guy running a batch script to see
how many million URLs he'll be able to remove before this gets fixed.

------
orblivion
Imagine if LulzSec found this first

~~~
xtal
How do you know they haven't?

~~~
TeMPOraL
I think they would have said about it already ;).

------
amritayannayak
The link is broken. I'm not able to load the page.

------
MNUO
that's really funny but very serious

------
suking
I suspect some googlers are going to have a long night :-).

------
Hisoka
4 months ago one of my sites totally disappeared from Google. I wonder if this
is because of this??? It's not a shady site, and there's no reason Google
would remove ALL the pages.. if anything they'd penalize it.

