Google has closed a flaw in its public Remove Outdated Content tool that let any user deindex live pages from Search. The vulnerability, active since 2023, was patched in May 2024 after publishers reported hundreds of stories disappearing from results.
How the bug worked
According to Google’s Search Liaison team, the exploit relied on submitting a page request with mixed-case characters in the URL slug. Because most servers treat uppercase and lowercase paths as identical, the altered address returned a 404 error. Google’s crawler interpreted that response as evidence the content was obsolete and removed every version of the URL from its index.
The Freedom of the Press Foundation report documented at least 400 articles disappearing from one news outlet, many covering a San Francisco technology executive. Google said only a tiny fraction of sites were affected and that all wrongly deindexed pages have since been restored.
Key facts
- Bug active since 2023; fix deployed in May 2024.
- Any Google account holder could submit a removal request without proving site ownership.
- Affected publishers saw dozens of pages vanish each week.
- Google’s Danny Sullivan confirmed no manual block list was used during the investigation.
- Patch now prevents case-altered URLs from influencing canonical versions.
Why it matters
The Remove Outdated Content tool was designed for the public to flag search snippets that show outdated cached text or dead links. Because the service never required domain verification, security researchers have long warned it could be weaponised for negative SEO. Until this update, the only remedy for an improper takedown was to resubmit each URL in Search Console - a time-consuming process for publishers.
Google says it will continue to monitor for similar exploits and advises site owners to redirect or rewrite unexpected uppercase URL requests to reduce risk.
.svg)
.svg)
.svg)