Google has patched a vulnerability in its public Remove Outdated Content tool that let anyone deindex virtually any web page without authentication. The company says it has restored the “tiny fraction” of URLs removed by the exploit and that the form now validates requests correctly.
What happened
The flaw came to light in a Freedom of the Press Foundation report that documented hundreds of legitimate pages disappearing from Google Search between late 2023 and early 2024. Attackers submitted the target URL with altered capitalization, which returned a 404 for Google’s crawler and triggered automatic removal of the live page.
Google confirmed the issue and said indexing has been restored for affected sites.
Key details
- At least 400 news articles were temporarily deindexed.
- The Remove Outdated Content form required no Search Console access or site ownership.
- Google Search Liaison Danny Sullivan acknowledged the bug in a Search Console Help Community post on 15 May 2024.
- Google issued a fix in early June 2024 and reinstated affected URLs.
- The company has not provided exact figures, calling the impact “tiny.”
Why it matters
The Remove Outdated Content tool, launched in 2020, lets anyone request cleanup of pages that return a 404 or refresh snippets that no longer match live text. Researchers had warned since 2023 that the form could be exploited for negative SEO because it did not fully verify URL case sensitivity. Publishers could reverse removals in Search Console, but attackers could resubmit requests, forcing constant monitoring.
Google says the form now checks canonical versions and ignores malicious case changes, closing the loophole.
What site owners should do
- Review the Removals report in Google Search Console to confirm all valid pages are indexed.
- Set up alerts for unexpected drops in indexed URLs.
- Maintain consistent canonical tags and monitor 404 responses after URL changes.
.svg)
.svg)
.svg)