Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Plugs Hole That Lets You Remove Any Website

Posted by CmdrTaco on from the yeah-we-uhh-meant-to-do-that dept.

blowdart writes "Google today disabled their webmaster tools after it was discovered that anyone could use the tool to remove any site from the google index. The exploit was pretty simple, all anyone had to do was to have a google webmasters tool account and edit a query string parameter on a valid removal to point to a domain they didn't own!"

86 of 116 comments (clear)

  1. I really wish... by Anonymous Coward · · Score: 5, Insightful

    this hole was open long enough for someone to remove Expert Exchange & all the other BS...

    1. Re:I really wish... by Anonymous Coward · · Score: 1

      He, Expert Exchange is ok. Just look into the source code or the cached page and you will find the answers without paying :)

      It's easier than that... just scroll down!

    2. Re:I really wish... by Anonymous Coward · · Score: 3, Funny

      What!?!? Would you rather your sex change be done by an amateur?

    3. Re:I really wish... by El+Lobo · · Score: 1

      No need to do that. Just scroll the page 3 miles down. There are the answers.

      --
      It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
    4. Re:I really wish... by fbjon · · Score: 1

      this hole was open long enough for someone to remove Expert Exchange & all the other BS...

      What's wrong with EE? At least you can find some help there. What really needs to go is the endless product search engines, all proclaiming "be the first to write a review!".

      --
      True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
    5. Re:I really wish... by RedACE7500 · · Score: 5, Informative

      1. Log in to your Google Account
      2. Search for Experts Exchange
      3. Click on the result for Experts Exchange
      4. Press Back on your browser
      5. Click "Block all www.experts-exchange.com results"

    6. Re:I really wish... by RedACE7500 · · Score: 4, Informative

      Alternatively, manually block sites from your results here: http://www.google.com/reviews/t

    7. Re:I really wish... by Ksevio · · Score: 1

      How about the several pages of ads mixed in with the useful results? Or the blocking of answers (on pages where just the question gets matched)?

    8. Re:I really wish... by Bob+the+Super+Hamste · · Score: 1

      The BS that they pull in trying to hid the solution to get you to pay. Granted you usually just need to scroll to the bottom, or use the Google cache of it. But they do some dodgy things. I would prefer the product search engines go before ExpertsExchange since you are correct there is some value to ExpertsExchange. Also on the list of things that should go are those sites that republish others content as their own they are by far the worst.

      --
      Time to offend someone
    9. Re:I really wish... by Robert+Zenz · · Score: 1

      At least you can find some help there.

      Try StackExchange.

    10. Re:I really wish... by DigiShaman · · Score: 1

      Expert Exchange is annoying because of how it's page ranked. But the site does offer solutions to those strange one-off technical issues. I don't mind the fact it's a paid subscription as it keeps the trolls out, but I'm sure as hell not going to spend 12 bucks a month (or 100 a year) some a service I would rarely use. OTOH, maybe I can get my company to purchase a subscription for all of us in the office. Hmmm

      --
      Life is not for the lazy.
    11. Re:I really wish... by ArsenneLupin · · Score: 1
      Hehe...

      But, seriously, has anyone an appropriate site to put after the RewriteCond %{HTTP_REFERER} experts-exchange.com in my apache config...?

      Preferably something which has still expertsexchange somewhere in its URL, but with lots of pictures of scantily clad ladies (which once were lads...) in it?

    12. Re:I really wish... by OverlordQ · · Score: 1

      They dont block answers, scroll down past all the crap.

      --
      Your hair look like poop, Bob! - Wanker.
    13. Re:I really wish... by VortexCortex · · Score: 1

      Thanks, but I tried that... It turns out that I intentionally don't stay signed in to Google services, so I wrote a userscript for Grease-Monkey instead.

      // ==UserScript==
      // @name F-Experts-Exchaneg
      // @namespace http://userscripts.org/users/useridnumber
      // @include http://www.google.com/search
      // ==/UserScript==

      var f = 1;
      while ( f ) {
      var a = document.getElementsByTagName('a');
      f = 0;
      for ( var i = 0; i < a.length; ++i )
      if ( a[i].href.match('experts-exchange.com') ) try {
      f = 1;
      var p = a[i];
      while ( p != null ) {
      if ( p.tagName == 'LI' ) {
      p.parentNode.removeChild( p );
      break;
      } else p = p.parentNode;
      }
      if ( p == null ) a[i].parentNode.removeChild( a[i] );
      } catch ( x ){}
      }
      void(0);

      (Sorry for the formatting, still haven't figured out how to keep slash from eating my &nbsp;s.)

      I also have a script to remove all the "ads" links on search results -- Now that they don't color their backgrounds yellow or light-blue and I'm tired of accidentally clicking them. While I was at it I removed the non-intrusive side-bar ads too. Your move Google.

    14. Re:I really wish... by Mister+Whirly · · Score: 2

      Adblock+ and scroll down to the bottom. Simple solutions.

      --
      "But this one goes to 11!"
    15. Re:I really wish... by IAmGarethAdams · · Score: 1

      Only if you've clicked through from a Google search result

    16. Re:I really wish... by IAmGarethAdams · · Score: 1

      Only if you've clicked through directly from a Google search result page

    17. Re:I really wish... by Flyerman · · Score: 1

      I believe the complaint originated at Experts Exchange showing up in google search results.

    18. Re:I really wish... by TheRaven64 · · Score: 2
      I've not used Google for a while, but I seem to still have these lines in my user CSS:

      li h3 a[HREF*="http://www.experts-exchange.com/"] {display : none ! important }
      A[HREF*="http://www.experts-exchange.com/"]:after { content: " [IDIOT WARNING]"!important ; color: red }

      The first hides expert sexchange links from Google search results, the second flags them with a red idiot warning if they appear elsewhere, so I don't accidentally click on them.

      --
      I am TheRaven on Soylent News
    19. Re:I really wish... by IAmGarethAdams · · Score: 2

      Yes, a common suggestion is that Experts Exchange *aren't* playing the system because the answers are there if you scroll down.

      I was pointing out that they *are* playing the system because the answers are *only* visible after clicking through from a Google search result. Try finding a page where the answer is at the bottom, and copy the URL into a new tab/window/browser. Abracadabra! The answer disappears!

      Experts Exchange is just another paywalled site at the end of the day, but they use dodgy practices to try and make you pay for their service rather than actually concentrating on being a useful service.

    20. Re:I really wish... by IAmGarethAdams · · Score: 1

      Technically they don't break any of Google's rules. Google's First Click Free initiative is designed to allow paywalled content to be crawled and indexable, subject (among other things) to guidelines like:

      - All users who click a Google search result to arrive at your site should be allowed to see the full text of the content they're trying to access.
      - The page displayed to all users who visit from Google must be identical to the content that is shown to Googlebot.

      Now, these are true for EE, but the page which is shown to both Googlebot and users who've clicked through from Google is very obviously geared around making you think you have to pay to see the answer which is at the bottom of the page.

      Also, Google only requires that click-through users see the same content as Googlebot. It doesn't require that a casual user sees the same content. Experts Exchange is in effect a paywalled site and you should think of it in the same way you think of other paywalled sites.

    21. Re:I really wish... by rumith · · Score: 1

      Use the Personal Blocklist Chrome extension to remove ExEx from Google search just for you. Also, it's quite amazing that you still get it high in your result, I mostly get StackOverflow at the top (as it should be).

    22. Re:I really wish... by speculatrix · · Score: 1

      create a bookmark called "goognoreviews" with the following: javascript:sURL='http://www.google.co.uk';sTerm=prompt('Enter%20a%20Google%20search%20term','');if(sTerm!=null){void(document.location=sURL+'/search?q='+encodeURIComponent(sTerm)+"+-inurl:(kelkoo|bizrate|pixmania|dealtime|pricerunner|dooyoo|pricegrabber|pricewatch|resellerratings|ebay|shopbot|comparestoreprices|ciao|unbeatable|shopping|epinions|nextag|buy|bestwebbuys)")}else{void(document.location)}

    23. Re:I really wish... by Flyerman · · Score: 1

      No shit! They show google the answer in exchange for showing up in search results. Google requires them to not hide the answers when people click through the results. Why would they show you the answer if you didn't click through the results?

      It's not dodgy, and yeah, they're just another paywall.

    24. Re:I really wish... by IAmGarethAdams · · Score: 1

      I realise they're just another paywall, I even said as much myself already.

      But it's still dodgy - even the page which has the answer at the bottom strongly hints that you need to "Subscribe now" to get "Instant Access to this Solution". I don't have problems with paywalls but this is an extra level of deviousness.

    25. Re:I really wish... by perryizgr8 · · Score: 1

      there is no "Block all www.experts-exchange.com results" button :(

      --
      Wealth is the gift that keeps on giving.
    26. Re:I really wish... by Ksevio · · Score: 1

      They sometimes block the answers if google picks up a page with just the question. It doesn't violate the rules because it shows the same page to google and other visitors, but there isn't useful information beyond the question.

    27. Re:I really wish... by LordLimecat · · Score: 1

      Er, if you want answers, all you have to do is google the question being answered, and click thru from google, then scroll all the way to the bottom. By Google's TOS, you cannot present different information to the google search engine than you present to someone coming from Google, so its not even likely to be blocked, nor do I feel bad about it-- it is the price of being indexed on Google.

      I mean, they can present ads that try to make you feel bad, and make it obnoxious to get to the info, but if anyone is being shady here it is a website trying to find loopholes in Google's TOS.

    28. Re:I really wish... by MurukeshM · · Score: 1

      Seconded. I use it to block w3schools and sexchange sites. Perhaps someone should do an intervention a la w3fools...

    29. Re:I really wish... by inject_hotmail.com · · Score: 1

      Only if you've clicked through from a Google search result

      It works from Yahoo as well...it must be the referrer...because it doesn't work from, say, startpage.com...

      I could see Yahoo and Google saying to Experts-Exchange: "Hey, we like it when people use our engine over any else's...we'll shoot you some cash if you let is read your answers...

    30. Re:I really wish... by jason1178 · · Score: 1

      Nah, it's just the requirements of the search engines that visitors from the search engine see what the search engine sees. If you try to come in without that, you will see the paywall. Folks have to make money...big web sites aren't free to run anymore.

    31. Re:I really wish... by PRMan · · Score: 1

      Just scroll all the way to the bottom. The answers are there. I find expertsexchange.com to be very useful...

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    32. Re:I really wish... by Ksevio · · Score: 1

      If you google the question, sometimes google will pick up a page with only the question and no answers.

    33. Re:I really wish... by hldn · · Score: 1

      http://www.google.com/reviews/t

      page to manage your blocked sites.

      --
      http://www.accountkiller.com/removal-requested
    34. Re:I really wish... by inject_hotmail.com · · Score: 1

      Nah, it's just the requirements of the search engines that visitors from the search engine see what the search engine sees. If you try to come in without that, you will see the paywall. Folks have to make money...big web sites aren't free to run anymore.

      So you mean to say that Yahoo is telling Experts-Exchange to open up their pay wall just so that Experts-Exchange doesn't get removed from Yahoo's search index? That doesn't really make sense...because then Experts-Exchange would simply not show "answers" to the search engine's spider (which would be the default behaviour of any pay wall).

      I can't imagine Experts-Exchange would bend to Google or Yahoo in such a way...I do, however, believe that Yahoo would want users to use their engine to search Experts-Exchange rather than go off and use Google's (or whomever else) which may have cached responses. (In fact, I recall a time whereby the search index/chached copy contained Experts-Exchange answers, but when a searcher visited the actually KB page, the answer wouldn't be there.

      Anyway, this is all conjecture...the simple fact remains that if a searcher uses Google or Yahoo to find information on Experts-Exchange, they will see the answer. If a user follows a link without being referred to Experts-Exchange by either aforementioned search engine, no answer is listed (another fact is the page CSS is different as well).

    35. Re:I really wish... by Mr.+DOS · · Score: 1

      Or you could just, y'know, scroll down to the bottom of the page and read the actual replies instead of the fakes at the top of the page...

    36. Re:I really wish... by jason1178 · · Score: 1

      Stack's gotten a lot worse with popularity and the newer sites on stack exchange range from okay to ghost towns. While sometimes you get a great set of answers, more often than not you get a horde of people editing your question into something different just so they can earn the boy scout badges and rep. There's plenty of garbage floating around there now.

    37. Re:I really wish... by jason1178 · · Score: 1

      It's Google's requirement under "First Click Free" that if coming from Google, you have to be able to see the full content of the page. If not, it's cloaking and bad things happen. Yahoo uses Bing and I'm pretty sure Bing is copying all Google policies down the letter :)

    38. Re:I really wish... by doccus · · Score: 1

      I first joined EE when it was a normal question/answer site I didn't even know they'd gone paywalled unti i tried to log in 10 years later or so (last year i think... At the time i needed something better (*anything* actually ) than Computing net. i actually needed answers.. Oh and PPS to the previous poster.. mine really DOES go up to 11.. It came from Jim Marshall's shop that way.. for real!

  2. Too late by esocid · · Score: 2

    /. was already removed from the internet. That's why no one is commenting.
    Come to think of it, how did I get here? Where am I? I'm old.

    --
    Absolute power corrupts absolutely. indymedia
    1. Re:Too late by shentino · · Score: 1

      You're probably such an old fart by now that you've memorized slashdot's IP address.

    2. Re:Too late by KiloByte · · Score: 1

      You see, most people these days type "facebook login" into Google, but some old geezers still use a thing named "DNS".

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:Too late by bigstrat2003 · · Score: 1

      It really baffles and aggravates me when people do that. It's like they seek out the most idiotic way to do something, and then follow it religiously as if it were the only workable solution.

      --
      "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
    4. Re:Too late by mehrotra.akash · · Score: 1

      http://xkcd.com/763/

  3. only one comment possible by circletimessquare · · Score: 1

    http://www.google.com/search?q=picard+facepalm&tbm=isch

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  4. Re:Bobby tables by Shikaku · · Score: 4, Informative

    http://bobby-tables.com/ Obligatory response.

  5. I'm glad people have by Nethemas+the+Great · · Score: 1

    http://www.supersecurewebsoftware.com/adminPages.aspx?admin=true&customeraccountaccess=true&warmfuzzyfeeling=true

    --
    Two of my imaginary friends reproduced once ... with negative results.
    1. Re:I'm glad people have by MacGyver2210 · · Score: 1

      Yeh, GET requests are not that secure...

      --
      If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
  6. Re:Bobby tables by Bob+the+Super+Hamste · · Score: 1

    That was fast. Someone mod parent informative.

    --
    Time to offend someone
  7. Probably an honest mistake by Baloroth · · Score: 1

    Well, this is pretty bad, though I imagine it probably happened because one webmaster could control multiple domains that look dissimilar, and they forgot to add checks to make sure that the webmaster really controlled the requested one. Oops. Nowhere near as bad as this, which was simple gross, heads-should-roll, incompetence, but still a pretty big mistake. Kinda sad that address bar "hacks" still work in this day and age. Especially at a company like Google.

    Looks like the removal isn't permanent, either, just temporary, so take that for what its worth. Still, wow, a malicious user could do serious damage to a lot of websites with this.

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    1. Re:Probably an honest mistake by maxwell+demon · · Score: 1

      A POST is in no way more secure than a GET.
      The flaw was to trust user input, plain and simple.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:Probably an honest mistake by Nadaka · · Score: 2

      Trust but verify. Verify the crap out of anything you get from the user. Even if its a read only field, even if its a hidden field, even if it is encrypted.

    3. Re:Probably an honest mistake by Mister+Whirly · · Score: 1

      This. Rule # 1 for creating anything with user input is - Never trust user input. Always sanitize before submission.

      --
      "But this one goes to 11!"
    4. Re:Probably an honest mistake by AmberBlackCat · · Score: 1

      At least we know a whole different group of people put together Google+ and it's totally secure...

  8. Interesting applications possible... by CCarrot · · Score: 3, Funny

    What if someone used this exploit to remove Google.com? Then my parents couldn't enter 'google' in the white box (Google homepage) to get to 'the internet'!

    Agh. I think my head exploded.

    --
    "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
    1. Re:Interesting applications possible... by idontgno · · Score: 1

      My head already apslode from the thought of needing Google to get to Google.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    2. Re:Interesting applications possible... by MacGyver2210 · · Score: 2

      I can't remember how many times I've tried to explain to various family members the differences between the two boxes in the title bar. It's a lot, that's for sure.

      They never seem to get it, and perpetually type URLs into the search box.

      --
      If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
    3. Re:Interesting applications possible... by maxwell+demon · · Score: 1

      One more hint at that introducing the search box was an error. After all, you can do everything from the URL bar which you can do from there.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    4. Re:Interesting applications possible... by Canazza · · Score: 1

      That's nothing, I know people who type google.com into the address bar, THEN type URLs into the google search box.

      --
      It pays to be obvious, especially if you have a reputation for being subtle.
    5. Re:Interesting applications possible... by yanyan · · Score: 1

      Yo dawg i herd you like searching so i put a google in your google so you can search while you search.

    6. Re:Interesting applications possible... by KiloByte · · Score: 1

      Well, that's better than Google's typo-jacking that sadly got into most browsers. I have that misfeature disabled -- to do a search, I type "g furry squid porn" (the default Firefox config has it on "google" which might be good enough for most, I shortened it to "g").

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    7. Re:Interesting applications possible... by CCarrot · · Score: 1

      That's nothing, I know people who type google.com into the address bar, THEN type URLs into the google search box.

      Oh? You know my parents? What a small world!

      (Oh, wait, I set up Google as their homepage, so I guess they usually skip the first part...)

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
    8. Re:Interesting applications possible... by Bucky24 · · Score: 1

      I had a girlfriend once who did this. She would type "google.com" into the google search bar at the top of her browser (firefox) to get to google so she could run searches. Drove me crazy.

      --
      All the world's a CPU, and all the men and women merely AI agents
    9. Re:Interesting applications possible... by mehrotra.akash · · Score: 1

      Use chrome then..

      Even in Firefox, the address bar acts as a search bar if you dont enter a website address

    10. Re:Interesting applications possible... by LordLimecat · · Score: 1

      http://www.google.com/search?q=photos
      Thats odd, that doesnt point to picasa at all!

      http://www.google.com/search?q=social+networking
      wait a sec, wikipedia isnt a google product.... whats going on here?

      http://www.google.com/search?q=email
      Wait a second, the top result is a sponsored ad, which DOESNT point to gmail!

      Is it possible that youre just utterly wrong?

    11. Re:Interesting applications possible... by CrackerJack9 · · Score: 1

      Or were you confused why things with "Google" in their titles are at the top of the list when you search for "Google"?

  9. plug Google into it by roman_mir · · Score: 1

    The author of this 'xploit' would have gotten more attention from Google if he tried removing 'google.com' and some other domains that belong to the company.

    I think this is the closest one could get to breaking the Internet by 'typing google into google'.

    --
    You can't handle the truth.
  10. Re:Bobby tables by fuzzytv · · Score: 2

    The bug in webmaster tools has nothing to do with SQL injection, so although I like XKCD the two posts are quite irrelevant.

  11. So? by bigsexyjoe · · Score: 1

    Stackoverflow still gives you better answers. I see no reason to even get their answers for free.

    By the way, google should remove experts exchange, they give the googlebot the answer but try to hide from regular users.

    --
    Democracy Now! - your daily, uncensored, corporate-free
    1. Re:So? by delinear · · Score: 1

      I never understood that - Google made such a big deal about not showing different content to the bot than you do to users (to the extent that they banned high profile sites like BMW's .de site) and yet ExpertSexchange (which is how I always read it, anyhoo) are still around when their entire business model seems to be gaming the system.

    2. Re:So? by _0xd0ad · · Score: 1

      They DO give the same content to the user as they give to Googlebot - as long as the user is coming from Google, which is all Google really cares about.

      Of course, it's really not that hard to forge the referer header...

    3. Re:So? by Riceballsan · · Score: 1

      EE dosn't show different information to the bot then the users, the bot just views things differently. Both the user and the bot have to scroll down past the huge block of nothingness to get to the answers, the difference is the bot tends to only focus on and highlight the relevant information, while the user tends to skim over the "please pay now" buttons and stop. Yes if you aren't getting to the page from a google link, the solutions aren't hidden at the bottom, but that isn't googles concern, anything other then the result they give you in their search page, is no longer google's responsibility. Yes EE cheated and basically found a way to follow the letter of the law while pissing on the spirit of it, but nothing can be done about that.

    4. Re:So? by bhtooefr · · Score: 1

      Well, there is always changing the rules to react to the violation of the spirit...

    5. Re:So? by jason1178 · · Score: 1

      How is it cheating? At least they will display the answer. Try getting a recipe from Cooks Illustrated or something from Consumer Reports.

    6. Re:So? by jason1178 · · Score: 1

      There's a whole discussion right about you that pretty much explains why this isn't the case.

  12. Re:Bobby tables by LittleBobbyTables · · Score: 1

    Lol. Excellent choice of comics you have there

  13. Re:Strange by Tolkien · · Score: 1

    .... This hole in Google's code doesn't affect the general availability of your site. It affects whether or not the site is contained in Google's index.

    --
    how is babby formed?
  14. Re:Strange by fuzzytv · · Score: 1

    An awful lot of sites depend on visitors from search engines. No visitors = no business, so if you can block competing sites from the index (and thus from results), your business will be hurt badly.

  15. Re:Bobby tables by Nadaka · · Score: 1

    They are both inserting unexpected data into an unverified field. The only difference is that with SQL injection you are inserting sql to do what you want instead of just data.

  16. History? by popo · · Score: 1

    One wonders if Google can trace anyone who has previously used this technique to remove competitors from the index.

    It would be fascinating to see just who has been a bad boy.

    --
    ------ The best brain training is now totally free : )
  17. Collusion by Dainsanefh · · Score: 1

    With the security hole plugged, people who wish to remove their erroneous information online will need to use paid service such as Reputation Defender. I bet how much did RD paid to Google to get this fixed?

    --
    Twitter: @dainsanefh
  18. Re:Bobby tables by petermgreen · · Score: 2

    The problem I see with deniable encryption is that while they can't prove there is more to see you can't prove that there isn't. So if they think the keys you have given them are decoys they will just keep tortuting you until you either reveal further keys or die.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  19. Re:Bobby tables by nabsltd · · Score: 1

    It's called Deniable Encryption

    In the real world, deniable encryption means they beat you with the wrench even after you have given them a password that appears to work.

  20. Re:Strange by fuzzytv · · Score: 1

    Ooops, I see. Probably an attempt to gain some traffic ...

  21. Re:Bobby tables by fuzzytv · · Score: 1

    Well, many attacks are based on unexpected values (if the developer expected that and it fails, he's a bit stupid). I was just pointing out this is not exactly SQL injection - the difference is that in this case there was a piece of business logic missing (check that the user is authorized to do that) and in case of SQL injection it's a failure at much lower level (data access).

    Anyway, let's not argue about this and let's read some old XKCD strips we've already forgotten.

  22. And by proxy... by Tarlus · · Score: 1

    So then if somebody used this exploit to remove sites from Google, does that mean they'll mysteriously disappear from Bing?

    =)

    --
    /* No Comment */