Google Webmaster Tools Security Flaw Confirmed
One of our junior developers came to me yesterday morning and said “How about I clean out the webmaster tools account? There are lots of old clients in there that are unverified.” . For an SEO company like ours we have a main Webmaster tools account that all our clients are connected to. The account is about 6 or 7 years old. In that time Google has changed the way that sites are verified probably once a year. Unlike Google Analytics, webmaster tools simply tells you what Google already knows about your site. You are not giving any data to Google except maybe a sitemap. For some of the older SEO clients they uploaded an HTML file that had our account details so Google knew it could give us access to data about their site. If a client moved to a new SEO company typically they would remove our file and replace it with their own. As verification methods evolved it became even easier to stop an old SEO firm having access to those details. When verification was removed you would see a notice like this appear next to the site in your account. 
After a while you get more and more of these sites and they simply stay in your account, greyed out and you are unable to access them. So it’s just more efficient to remove them. So yeah I thought, let’s clean that up. About an hour later Nick our developer came back, “All done”. Just as I was thanking him out of the corner of my eye I caught this tweet. 
It turned out that another SEO I respect @davenaylor had just posted this story on his blog. A bunch of old unverified accounts in Dave’s webmaster tools account had just automatically become verified again. This is a major deal and has/had the potential, if widespread to cost business billions in lost traffic. I’m not exaggerating. If someone who doesn’t like you has access to your webmaster tools account they can remove you from Google in a blink of an eye. I quickly checked our own account but of course we had just removed all the old unverified accounts so there was nothing that could be reverified, or so I thought. A quick read of the comments over at Dave’s blog from other Aussie SEO’s showed that no one in Australia seemed to be seeing the same thing. Then I saw last night a couple of old clients accounts. I clicked on them and sure enough I had access to all their data. I thought about it. Surely this company ( a major online retailer) would not have left their access open to us but if they were unverified this morning, Nick would have removed them. This morning they were unverified and I had no access. It turned out that the flaw happened just as Nick was removing the unverified accounts. He didn’t remove this retailer as they were verified. It looks like everything is back to normal now but if your rankings have disappeared overnight you may want to log into Webmaster tools and check your messages. If you employed a cheap vengeful SEO in the past, they may just have had a swipe at you.
UPDATE: I just went and checked the verification history. It clearly shows we were reverified and then removed again over 16 hours later
Jim’s been here for a while, you know who he is.
