Website administrators were thrown into panic last night as a significant security flaw emerged in Google Webmaster Tools, the service that helps users optimise traffic and diagnose problems on their sites.
A number of different sources have reported a problem with terminated user accounts becoming re-verified, opening websites up for sabotage and misuse from unauthorised members.
One Google Webmaster Tools operator, SEO blogger David Naylor, explained how his company “regained access to every old account we have previously been given access to, whether that is a previous client or maybe a site that came to us for some short term consultancy.”
Highlighting the danger of the service ending up in the wrong hands, Naylor adds that because “WMT is so much more powerful than it ever was there is a serious risk that damage could be caused to sites by people who no longer have permission to make changes. Things like disavow link lists, deindex urls or the entire site, redirect urls, geolocation alterations .. a whole world of pain.”
Numerous other users confirmed the issue on Twitter, having been notified that “new verified owners” had been added to their accounts. One such user, Patrick Altof - who realised the breach worked both ways - tweeted, “I can see stats & could even remove URLs,” referring to sites belonging to old clients.
Google Analytics is thought to have been affected in the glitch too, meaning further confidential data is accessible for non-verified users.
The SEO community has been alerting Google’s head of webspam, Matt Cutts, but neither him nor the company have commented on the issue yet.