Google Bug Let Hackers Deindex URLs

Google has resolved a flaw that allowed anonymous users to misuse an official tool to remove any website URL from its search results, posing a serious negative SEO risk.

The issue, which had existed since 2023, meant that individuals could exploit the tool to deindex competitors’ pages from Google’s search listings without being identified. Despite being aware of the vulnerability, Google only recently acted to correct it.

Tool Exploited For Reputation Management

A report from the Freedom of the Press Foundation detailed how a tech CEO attempted to suppress unfavourable media coverage by a journalist. The efforts included legal moves to uncover the journalist’s sources, an intimidation effort involving the San Francisco city attorney, and a DMCA takedown notice.

Despite these tactics, the journalist and the Freedom of the Press Foundation succeeded in court, and the article remained accessible online—until it started disappearing through misuse of Google’s “Remove Outdated Content” tool. Although restoring the page via Google Search Console was straightforward, the manipulation persisted. This prompted a user to raise the issue on the Google Search Console Help Community.

In their post, they described how the attacker appeared to be selecting words no longer found in the original article, using that to justify removal requests on the grounds of being outdated.

The user explained in their community message:

“We’ve had around a dozen articles taken down this way. We can track it by searching Google for the headline in quotes alongside the site name, and no results appear.

Then we check Google Search Console and see it’s been marked as ‘APPROVED’ under outdated content removal. We then cancel the request, and within moments, the article reappears in search. This has happened five times so far.”

Four Hundred Articles Deindexed

The situation amounted to a targeted and persistent attack on a website, and it appeared that Google was unable to prevent the misuse, leaving the affected user in a difficult and vulnerable position.

In a later update, the user shared the serious impact of the ongoing negative SEO assault:

“Each week, dozens of our pages are removed from Google’s index, and we’re forced to monitor Google Search Console daily to spot any fresh removals and manually reinstate them.

So far, over 400 articles have been taken out of search results—even though they were all still live on our site. Someone exploited the public removal tool to submit these links, resulting in their deindexing.”

Google Promised To Look Into It

The user inquired whether there was any method to prevent these ongoing attacks, to which Google’s Danny Sullivan replied:

“Thank you — and once again, for the pages where these removals are occurring, there isn’t a mechanism in place to block them.”

In a later response, Danny acknowledged the issue and added:

“The tool was intended to take down links that are no longer active or snippets that don’t match the current content. We’ll investigate this matter further.”

How Google’s Tool Was Exploited

The original report suggested that the negative SEO attack was exploiting changes in wording to file successful outdated content removal requests. However, it later became clear that a different tactic was also being used.

Google’s Outdated Content Removal tool is case-sensitive. This means if someone submits a URL with capital letters, Google’s crawler will check that exact version. If the server responds with a 404 error, Google may remove the URL — and potentially other versions of it — from search results.

Although the Freedom of the Press Foundation claimed the tool was case-insensitive, that’s not entirely accurate. If it truly ignored case, the use of uppercase or lowercase wouldn’t matter. But in this case, it clearly does — indicating that case sensitivity played a key role.

In theory, the site under attack could have avoided this issue by redirecting all uppercase URLs to lowercase versions, ensuring consistency across the site.

This loophole is what the attacker exploited. While the removal tool acted in a case-sensitive manner, somewhere in Google’s system, it treated the URL as case-insensitive — which led to the correct, live page being deindexed.

As the Freedom of the Press Foundation explained:

“Our article was removed from Google Search using a technique that hasn’t been widely documented before — a sustained abuse of Google’s ‘Refresh Outdated Content’ tool.

This feature is intended for users who aren’t site owners to request removal of dead pages (those returning a 404 error), or updates to search results showing outdated snippets.

But a bad actor was able to make a legitimate page disappear simply by submitting a removal request for a URL with different capitalisation. This triggered a flaw in Google’s system that treated it as the same URL — even though it wasn’t — and removed the page from search results.”