In a shocking revelation, a major bug in Google’s URL removal tool allowed anyone — even anonymously — to wipe any website’s pages from Google Search. The exploit, which had been known to Google since 2023, was only recently fixed, raising serious concerns about online security and manipulation of search results.
Bug Used to Bury Critical News
According to the Freedom of the Press Foundation, the exploit wasn’t just theoretical — it was used in real-world attacks. One high-profile case involved a tech CEO who tried to silence a journalist by removing negative coverage from Google’s index.
The CEO had reportedly tried everything — from legal threats and DMCA takedowns to pressuring officials — but the article remained online. That changed when someone began abusing Google’s “Remove Outdated Content” tool, making the page vanish from search results.
The journalist’s team quickly realized what was happening. Even though the article was still live, repeated abuse of Google’s tool kept deindexing it. After raising concerns in Google’s public forums, they described how attackers would falsely claim outdated content by referencing words no longer present in the article.
Here’s how the team described the attack on Google’s Help Community:
“We have a dozen articles that got removed this way.
We can measure it by searching Google for the article using the headline in quotes and with the site name — no results returned.
Then we go to GSC (Google Search Console), find it has been APPROVED for outdated content removal.
We cancel that request, and the article reappears in search.
This is the fifth time we’ve seen this happen.”
Over 400 Articles Removed in Coordinated Attack
The abuse wasn’t just limited to one article. The site reported a massive negative SEO attack that saw over 400 pages deindexed, even though they were still live and published.
“Every week, dozens of pages are being deindexed.
We have to check GSC daily to catch what’s removed and restore it.
Someone’s submitting them via the public removal tool — and it’s working.”
Despite their efforts, there was no official way to block such attacks.
Google Responds, But Fix Took Time
Eventually, Google’s Danny Sullivan chimed in on the support thread, acknowledging the problem but stating there was no built-in protection:
“Thank you — and again, the pages where you see the removal happening, there’s no blocking mechanism on them.”
He added:
“The tool is designed to remove links that are no longer live or snippets that no longer reflect live content.
We’ll look into this further.”
How Attackers Exploited the System
The original theory was that attackers were flagging content based on changed words. But it turns out the exploit was more technical — and sneakier.
The trick involved manipulating the capitalization of URLs. While Google’s Outdated Content Removal tool is case-sensitive, Google’s crawler system appears to treat those requests as case-insensitive during certain stages.
So if someone submitted a version of the URL with capital letters — say, “/Article-Title” instead of “/article-title” — and that version returned a 404 Not Found error, Google would mistakenly remove all versions of the URL from its index.
According to the Freedom of the Press Foundation:
“A malicious actor could… disappear a legitimate article by submitting a removal request for a URL that resembled the target article but led to a ‘404 error.’
By altering the capitalization of a URL slug, a malicious actor could take advantage of a case-insensitivity bug in Google’s automated system.”
Google Admits the Problem, Says It’s Fixed
Google confirmed the bug and admitted that other websites were affected too. In an official response, they described the issue as only impacting a “tiny fraction of websites” and stated that affected URLs were reinstated.
They also confirmed — via email — that the bug has now been fixed.
This incident highlights the unseen risks of open-access tools and how they can be weaponized for censorship and SEO attacks. While Google has taken action now, many are asking: why did it take two years to fix such a serious vulnerability?
