• http://twitter.com/halfbrown halfbrown

    It looks like the method to do this used the Query String, so it should be easy enough for Google to (at the very least) sift through the log files to see who had been using this bug for taking out competitors. Assuming, that is, that you *had* to be logged into your GWT account as the article says.

  • http://www.webdesigncompany.net melvinram

    @halfbrown Well I’m assuming you had to be logged in *a* GWT account, not necessarily one associated with your main sites. It’s crazy what could be done with this nuclear weapon.

  • http://www.esotech.org geilt

    Holy crap. Imagine how long this could have been going on without being reported? Could explain or some unexpected losses in high powered industry that rely a lot on Blackhat like Insurance or Auto.

    Am amazed they dont require a hash string or authentication to submit that stuff.

  • http://www.seroundtable.com/ Barry Schwartz

    This is why I didn’t cover it here until Google removed the feature or fixed the bug.

  • http://www.modulussystems.com Arjun Sandhu

    Barry/James – seriously? Wow! Did you try removing a site that wasn’t verified by you and did it work? I’m thinking – what if someone removed BBC or Facebook etc? That would make global news! You have no idea of the magnitude of the favour you’ve done Google. I’m looking forward to your reply – did you try removing a url?

  • iKiks

    Any idea what happens now if a site owner really wants to remove pages, sites or sub domains. I think we need to know what steps to take.

  • http://www.modulussystems.com Arjun Sandhu

    Just read on James’ post that the url actually did disappear off Google.

  • http://www.seroundtable.com/ Barry Schwartz

    Arjun, I did not but James did.

    ikiks, I am told Google disables the removal tool, which I wrote above. So nothing will happen, it won’t let you.

  • http://www.stream20.com Donal

    Great spot James/Barry, I can imagine some large ethically challenged companies getting an unrelated bedroom coder to block their competition for them.

  • http://www.wptransfers.com Mihai Alexandru

    i just tried it and it still worked for me
    still showed the remove button

  • http://magicallinux.blogspot.com/ Andy Pieters

    Well, it’s a good thing then that the RFC states that GET requests should be safe…

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

  • R.M.

    Well done, You have just ruined my advantage, Why spill?