Updated: Google Webmaster Tools Security Bug Re-Opens Access To Old Accounts [Now Fixed]
A security bug in Google Webmaster Tools has given users access to old accounts and websites that they’re no longer supposed to be able to access.
The problem was discovered Tuesday and reported on several SEO blogs and news outlets — including (first, I believe) by Dave Naylor — and was discussed pretty heavily by search marketers on Twitter. We asked Google late Tuesday afternoon to comment on the bug reports, but have not received a reply.
What’s happening in some, not all, Webmaster Tools accounts is that users are finding themselves with sudden access to accounts that they once had access to, but no longer do; i.e., former clients, employers and the like. That bug is presumably giving a lot of power to individuals that shouldn’t have it — power to deindex, disavow links, unverify the current/legitimate webmaster’s access, and even redirect sites to other verified domains in the user’s account. It also reveals a lot of link, search, index/crawl and other data to users that shouldn’t be able to see those things.
The bug isn’t affecting my Webmaster Tools account, so here’s a screenshot from Dave Naylor’s account showing several verification changes that re-opened access to old accounts/websites.
There are reports that the same (or a similar) bug is affecting Google Analytics, and State of Search reported that some blocked connections in Google Talk have also been unblocked.
This is a serious problem and Google’s silence on it so far suggests that they’re still trying to sort out what’s happening and why — and how to fix it.
Postscript: Google has fixed the issue this morning, several hours after the breach. Here is the statement they sent us:
For several hours yesterday a small set of Webmaster Tools accounts were incorrectly re-verified for people who previously had access. We’ve reverted these accounts and are investigating ways to prevent this issue from recurring.
Google also tells us that, despite reports from users, Google Analytics was not impacted.