Introduction to Google’s Bug
Google recently fixed a bug that allowed anyone to anonymously use an official Google tool to remove any URL from Google search. This tool had the potential to be used to devastate competitor rankings by removing their URLs completely from Google’s index. The bug was known by Google since 2023, but until now, Google hadn’t taken action to fix it.
Tool Exploited For Reputation Management
A report by the Freedom of the Press Foundation recounted the case of a tech CEO who had employed numerous tactics to “censor” negative reporting by a journalist. The tactics ranged from legal action to identify the reporter’s sources, an “intimidation campaign” via the San Francisco city attorney, and a DMCA takedown request. Through it all, the reporter and the Freedom of the Press Foundation prevailed in court, and the article at the center of the actions remained online until it began getting removed through abuse of Google’s Remove Outdated Content tool.
The Abuse of Google’s Tool
The person who was affected by the abuse posted a description of what was happening on the Google Search Console Help Community and asked if there was a way to block abuse of the tool. The post alleged that the attacker was choosing a word that was no longer in the original article and using that as the basis for claiming an article is outdated and should be removed from Google’s search index. The report explained that the attacker was exploiting a flaw in Google’s system, where the removal tool was case-sensitive, but the system that processed the removal requests was case-insensitive.
Four Hundred Articles Deindexed
The sustained negative SEO attack had a devastating effect on the website, with over 400 articles deindexed. The user had to check the Google Search Console every day to see if anything else got removed and then restore it. Google’s Danny Sullivan responded to the user’s post, saying that they would look into it and that the tool is designed to remove links that are no longer live or snippets that are no longer reflecting live content.
How Google’s Tool Was Exploited
The attacker exploited the case-sensitivity of Google’s Outdated Content Removal tool. By submitting a URL with an uppercase letter, the crawler would go out to specifically check for the uppercase version, and if the server returned a 404 Not Found error response, Google would remove all versions of the URL. The victim of the attack could have created a workaround by rewriting all requests for uppercase URLs to lowercase and enforcing lowercase URLs across the entire website.
Other Sites Affected By The Exploit
Google admitted that this exploit did, in fact, affect other sites. They said that the issue only impacted a “tiny fraction of websites” and that the wrongly impacted sites were reinstated. Google responded by email to note that this bug has been fixed.
Conclusion
The bug in Google’s Outdated Content Removal tool was a serious issue that could have been used to devastate competitor rankings. The exploit was used to remove over 400 articles from a website, and it’s likely that other sites were affected as well. Google has fixed the bug, but it’s a reminder of the importance of monitoring and maintaining online presence. It’s also a warning to website owners to be aware of the potential for negative SEO attacks and to take steps to protect themselves.