Google Sitemaps Thinks You Own eBay

[jmiller]

File this one under “Oops.” A security flaw with Google’s new Sitemaps service has been dug up that allows anyone to “claim ownership” and view statistics for websites if they have improperly set up 404 error pages. Want to see site statistics for AOL, eBay, or About.com? The Sitemaps flaw will get you there, assuming you own them.


“Google requires you to verify that a site is yours by placing a file with a random filename in the root of your sites. However, if you (badly) employ custom 404 messages on your server, you may have instructed your server, inadvertently [sic], to declare all URLs within your domain as found,” writes SEO professional David Naylor on his weblog, where some interesting screenshots of statistical access to some major Internet players is found.

The problem is the result of an oversight that doesn’t take into account improperly coded 404 pages. After bringing up an eBay page, Danny Sullivan at Search Engine Watch writes:

“You'll see that eBay responds that the page doesn't exist. However, behind the scenes it redirects the request (sending a 301 server code) to another page that has a 200 Page Found code. As a result, along with Dave and Barry, I'm now looking at eBay's stats, along with AOL's stats.”

Sullivan suggests making sure all of your 404 pages are squared up and refers readers to Rex Swain’s HTTP Viewer to double check.