I think it's sad that he had to resort to publicly releasing this exploit because he couldn't find a way to contact Google about it.
In the past, when I've had problems, I couldn't contact them either. They've done a great job at making sure there's no human contacts available. You have to post something in a public forum and hope they'll contact you. (They won't.)
Sending an email to [email protected] will result in a quick response. As part of their bug bounty program Google would have paid $1,000 for this bug if not more.
It's obnoxious how hard it is to report bugs to Google. And posting in their forum is a joke anyway. Google's new two-factor authentication? Really neat right? Yeah, well, it's buggy and there is no way to report bugs for it. I posted in the forum and was received by crickets.
I don't mind it most of the time, but when I have a real issue or something that is obviously broken and unnoticed, it sure is frustrating.
edit: There's also no category for "generic login problems" or "Other". So I'm stuck posting it in Gmail.
This bug could have been exploited for millions of dollars. Imagine giving a mafia boss control over the heartbeat of every rival. One blackhat SEO could have dominated any number of lucrative keywords.
If this bug has existed for a long time it's quite possible some guy is sailing around on a yacht that this bug paid for.
It's such a blindingly obvious bug that I really do wonder whether this might have been a backdoor/inside job by an employee. Google should very closely inspect the code change history.
Hopefully they also maintain a history of all page removal requests to see who might have been exploiting this.
It's not a back door, it's an abuse of an existing approach.
Google could weight the process in one of two ways:
1. in favour of the complaint-maker.
2. in favour of the website-owner.
If they favour the complainant, then website deletion is presumed to go ahead. If the webmaster, then it is presumed to be held up.
Google chose a compromise: the complaint is acted on, after a delay. The webmaster gets notified through webmaster tools; after some period of time the removal goes ahead.
If Google flip the compromise around, they will make it nigh impossible to remove any websites from the index.
Despite it being "fixed" not long after the blog post went live, I wonder how long/how many people knew about this bug. Seems like it would be a great trick for SEO (build page to certain PR/remove opponents ranking above you)
Does this _actually_ work though? You get the message "URL pending for removal" but does that mean it's really going to be removed? Perhaps this is just a default response.
I don't know how is possible that a so obvious bug passed their quality department, and I wonder if someone didnt discovered it before and was doing this to take out competitors indexes..
Bugs happen. Even big ones like this. Any engineer worth his money knows that no amount of Q&A will discover 100% of the bugs. But, as Joel Spolsky said somewhere, bugs are just bugs, you fix them and then they're fixed.
My guess would be that someone took an internal tool with few security requirements and rolled it straight to production. If that is the case, this is probably an excellent candidate for a security audit, there are almost certainly more issues if something this basic was not in place.
Somewhat related: I wish GWT had a "pattern" removal.
With one of my sites, by the time I noticed that certain pages were missing the "noindex" tag Google happily indexed over 4000 pages. Considering the rate Google is crawling those pages it may take years to be removed from the index. Obviously, submitting each link one by one is rather tedious.
Hopefully the author is going to release that extension after Google fixes this bug. I may actually bother clicking 4K times just to see that site "fixed"...
Grrr, google and it's acronym's, I thought GWT stood for Google Web Toolkit and I was really confused for a second. Instead this GWT stands for Google Webmaster Tools...
"but I've never heard of a law protecting one's right to be listed in a search engine."
I believe that in most countries where computer crime law exists, removing or modifying data that is not yours(1) is covered by the law.
(1) What's "yours" and what's not is of course a very tricky question when it comes to immaterial things. Whether a listing for your webpage generated by a third party is yours, I wouldn't bet (on either side.)
In germany, you might have a stab at sueing for lost income, for example if you are a shop with a large number coming from google search, or if you get large amounts of ad revenue from visitors from google.
I am always amazed how experienced programmers can make such obvious errors when processing user input. Why would I ask for a URL of the WMT account in the query string?
I just hope that there is no "for the lulz" guy running a batch script to see how many million URLs he'll be able to remove before this gets fixed.
Personally, I would be more concerned if someone with malicious intent and the ability to keep silent about what they have done had found & exploited this. [0]
Advertise: remove your competitor from Google's search results for a day! If I didn't think it was illegal, I'd probably pay for that, were I in such a situation.
[0] If, of course, it even existed in the first place. It seems plausible enough to me, even if I think it unlikely.
4 months ago one of my sites totally disappeared from Google. I wonder if this is because of this??? It's not a shady site, and there's no reason Google would remove ALL the pages.. if anything they'd penalize it.
[+] [-] wccrawford|14 years ago|reply
In the past, when I've had problems, I couldn't contact them either. They've done a great job at making sure there's no human contacts available. You have to post something in a public forum and hope they'll contact you. (They won't.)
[+] [-] ssclafani|14 years ago|reply
[+] [-] michaelfairley|14 years ago|reply
[+] [-] andreyf|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] drivebyacct2|14 years ago|reply
I don't mind it most of the time, but when I have a real issue or something that is obviously broken and unnoticed, it sure is frustrating.
edit: There's also no category for "generic login problems" or "Other". So I'm stuck posting it in Gmail.
[+] [-] staunch|14 years ago|reply
If this bug has existed for a long time it's quite possible some guy is sailing around on a yacht that this bug paid for.
It's such a blindingly obvious bug that I really do wonder whether this might have been a backdoor/inside job by an employee. Google should very closely inspect the code change history.
Hopefully they also maintain a history of all page removal requests to see who might have been exploiting this.
[+] [-] cheez|14 years ago|reply
Quite possibly exploited for non-savvy website owners. Savvy owners would be checking their ranking regularly and noticing it disappear one day.
Anyone who ranks highly for lucrative keywords and does not check their ranking is asking to lose it, whether ethically or otherwise.
So I don't think it would have been exploited for the millions you think, but possibly a good bit of money.
[+] [-] xiaoqmashh|14 years ago|reply
[deleted]
[+] [-] jacques_chester|14 years ago|reply
Google could weight the process in one of two ways:
If they favour the complainant, then website deletion is presumed to go ahead. If the webmaster, then it is presumed to be held up.Google chose a compromise: the complaint is acted on, after a delay. The webmaster gets notified through webmaster tools; after some period of time the removal goes ahead.
If Google flip the compromise around, they will make it nigh impossible to remove any websites from the index.
[+] [-] brownie|14 years ago|reply
[+] [-] _gingerhendrix|14 years ago|reply
[deleted]
[+] [-] retube|14 years ago|reply
Were any non-owned sites/urls actually removed?
[+] [-] juliano_q|14 years ago|reply
[+] [-] DrJokepu|14 years ago|reply
[+] [-] flatline|14 years ago|reply
[+] [-] latch|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] pbz|14 years ago|reply
With one of my sites, by the time I noticed that certain pages were missing the "noindex" tag Google happily indexed over 4000 pages. Considering the rate Google is crawling those pages it may take years to be removed from the index. Obviously, submitting each link one by one is rather tedious.
Hopefully the author is going to release that extension after Google fixes this bug. I may actually bother clicking 4K times just to see that site "fixed"...
[+] [-] bostonvaulter2|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] ImperatorLunae|14 years ago|reply
It would <i>seem</i> that this is illegal, but I've never heard of a law protecting one's right to be listed in a search engine.
Perhaps, if this process requires you to be the owner, it qualifies as fraud?
[+] [-] dwwoelfel|14 years ago|reply
For example,
produces italic.http://news.ycombinator.com/formatdoc
[+] [-] praptak|14 years ago|reply
I believe that in most countries where computer crime law exists, removing or modifying data that is not yours(1) is covered by the law.
(1) What's "yours" and what's not is of course a very tricky question when it comes to immaterial things. Whether a listing for your webpage generated by a third party is yours, I wouldn't bet (on either side.)
[+] [-] tetha|14 years ago|reply
[+] [-] yaix|14 years ago|reply
I just hope that there is no "for the lulz" guy running a batch script to see how many million URLs he'll be able to remove before this gets fixed.
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] orblivion|14 years ago|reply
[+] [-] ethereal|14 years ago|reply
Advertise: remove your competitor from Google's search results for a day! If I didn't think it was illegal, I'd probably pay for that, were I in such a situation.
[0] If, of course, it even existed in the first place. It seems plausible enough to me, even if I think it unlikely.
[+] [-] xtal|14 years ago|reply
[+] [-] amritayannayak|14 years ago|reply
[+] [-] MNUO|14 years ago|reply
[+] [-] suking|14 years ago|reply
[+] [-] Hisoka|14 years ago|reply