WebmasterTools in Dangerous Security Flaw
It has been seen tonight that WebmasterTools has suffered a major security hole and opened up and reverified all old accounts. What does this mean to the SEO community?
From initial glance at our WMT's accounts we now have regained access to every old account we have previously been given access to, whether that is a previous client or maybe a site that came to us for some short term consultancy. What is also quite amusing (if you look on the funny side) is that you can see who won the client or who you won the client from.
On a more serious note though, now that WMT is so much more powerful than it ever was there is a serious risk that damage could be caused to sites by people who no longer have permission to make changes. Things like disavow link lists, deindex urls or the entire site, redirect urls, geolocation alterations .. a whole world of pain.
Oh… and this also is the same for Google Analytics too.. its going to potentially be a late night! Hopefully the messages that we have sent to Matt Cutts will be seen and actioned quickly.
This is when the reverification attempts happened

Here is a screenshot of what we “could” do …. (Disclaimer – we won’t be doing anything to anyone)

This is an example of the mess .. so from the bottom up on this account, 13 days ago ownership revoked for the old SEO company, 11 days ago new SEO company added, then what appears an hour ago the old SEO company, an ex-employee and us (who haven’t had the account for about a year) were reverified.

20 Comments
Alastair McDermott - http://www.websitedoctor.com/
Disastrous security measures by Google. They’ll need to provide some kind of solution, maybe roll back 24 hours of GWT data or something like that.
Lee Smallwood
That is such a hole David…! Any news from Matt Cutts yet?
Lee Colbran
I noticed something happening this afternoon. Well done for alerting the community to this Dave.
James Norquay - http://jamesnorquay.com
This is a massive security flaw for Google, I have checked a few of my accounts and they do not seem to have old accounts showing. I have also read of people having access to old Google analytic’s accounts on Twitter. Would be good too see an official statement from Google regarding this!
Christopher West - http://about.me/seowestcp
Hi David
Not seeing this so far in a few of the AU sites I have checked – but will keep monitoring.
Thanks for the headsup!
Bob Jones - http://www.titanweb.com.au
Panic in the office this morning after this post came to my attention, but it looks like none of our sites have any problems (800+ Australian sites). Seeing that James and Christopher also mentioned not seeing any problems with their Australian sites…perhaps its only happening to certain regions?
Serious Google security glitch restores Webmaster Tools, possibly Analytics access to revoked accounts - Daily Small Talk - pingback
[…] can see some evidence of the Webmaster Tools access on David Naylor’s blog here, where he demonstrates some of the things that could be done to his firm’s ex-clients. He has […]
Jimboot - http://stewartmedia.biz
Damn what a morning we picked to delete all old accounts that were unverified LOL. We just finished doing it when I read your post.
Google Webmaster Tools Security Bug Re-Opens Access To Old Accounts - pingback
[…] today and reported on several SEO blogs and news outlets — including (first, I believe) by Dave Naylor — and was discussed pretty heavily by search marketers on Twitter. We asked Google late […]
Google Webmaster Tools Security Bug Re-Opens Access To Old Accounts : eMarketing Wall - pingback
[…] today and reported on several SEO blogs and news outlets — including (first, I believe) by Dave Naylor — and was discussed pretty heavily by search marketers on Twitter. We asked Google late Tuesday […]
Massive Google Webmaster Tools security breach reported | VentureBeat - pingback
[…] client or maybe a site that came to us for some short term consultancy,” David Naylor posted on his search marketing blog today. Source: David NaylorGoogle Webmaster Tools re-verifying old […]
ketan raval - http://www.implicitly.me/
that is terrifying security hole and privacy issue.
Uncle Demotivator - http://www.motivationals.org
This is what happens when you archive everything and never really delete anything. However I doubt that Google will learn anything form this.
Alan Charncok - http://www.seo-internetmarketing.co.uk
Happened to the company I work for, Google fails again!
Doc Sheldon - http://topshelfcopy.com
Good catch, Dave and a good job of letting folks know right away. FYI, we’ve found no changes here yet on any of our clients’ accounts (AU, UK, CA, US), but will keep checking periodically.
Jimboot - http://stewartmedia.biz
Ok Dave can confirm it happened here in Australia. It looks like it has been fixed now.
Andrea Moro - http://www.andreamoro.co.uk
Google reverted the situation within hours from the discovery. Those sites which automatic authorization has been given, has also been automatically demoted. Not a big issue though, especially considering the issue occurred during night time in Europe.
However, if you are still experiencing the issue and you see some site to which you should not have access to, please feel free to report them here and I will liaise directly with the relevant Google team to which I’m in contact as an official TC.
Hacked webmaster tool account Checklist - Link Lately - pingback
[…] We all know how important it is to secure your webmaster tool account. However, for a short time last week Google left its users open to attact due to a security glitch […]
Carl - http://www.webmaisterpro.com
This is absolute disaster, for every webmaster. I just can’t believe this is happening with “Big G”.
Volker Schaefer - http://www.InternetMarketingPro.biz
Wow, why do such thing happen to Google again and again?
They should be better.