How to hijack all traffic and all customers from Yandex with only a webmaster?
I will now publish a way to hijack all search traffic and all clients of any site using Yandex in 5 minutes without any knowledge if you have access to ONLY Yandex Webmaster. Unfortunately, site owners may suffer from this, but I just do not see any other way out. At the moment, Yandex technical support just turns a blind eye to the problem. I’m not sure that the problem is generally known to management and whether the information goes beyond Platonov and therefore I have to publish this vulnerability in order to attract Yandex attention to it as soon as possible and save as many sites as possible.
Let's be honest - the Yandex Webmaster account is quite easy to get during any work or by offering the site owner a free audit. The Webmaster service itself is perceived by the owners as informational, and often they do not know about it at all. And they don’t know for sure that with the help of this service you can take away all positions and all traffic to the site from the search.
It’s like the keys to an apartment. When I give them, I expect that you can go in there and break something there, ok, I'm ready for this. But the current bug allows you to rewrite the apartment for yourself and few people are ready for this when they give keys to another person.
Let's go in order. I will say right away - the site of my friend, not my personal one.
I come in to see traffic from various sources in Yandex Metric and I see that traffic from Yandex dropped to zero a little more than a week ago. I think maybe some kind of problem, I go to Yandex Webmaster to study the problems and see that the site on the list is like a child, which is not the main mirror of some third-party domain on which there is a non-functional copy of the stolen site.
I look at the list of accesses in Yandex Webmaster - there is a third-party user there. I delete the user, delete his meta tag and confirmation file, change all the passwords in a circle.
I’m looking for where the main mirror is indicated - I find there the item “Unlock mirrors” and try to unstick. It turns out that you can’t paste sites until they return the same content.
That is, Yandex does not recognize any supremacy of the previously created site, as soon as a new mirror is indicated to it, it is not possible to return it.
The discussion of the issue with technical support was reduced only to the fact that they can not help.
So how to steal something?
- We ask you to open Yandex Webmaster to see the statistics or add it yourself through the confirmation file, if you were given access so that you change the phone in the header (I exaggerate)
- We simply deploy a double copy of an external site or a real copy if we had access to files
- We send a request for transfer via Yandex Webmaster
After that, Yandex throws the old site out of the search completely and shows the new site for all search queries.
Any person with any level of knowledge can create an account on freelance or a topic on the forum indicating that he is currently building a personal brand and is ready to take several orders for reviews and portfolios for finalizing the site, layout, editing, auditing, changing the phone in the header, etc. And just upload a file or a confirmation meta tag and re-stick the site to a new domain.
So dozens of sites per day can be stolen.
This not normal. In this case, Yandex’s policy and the absence of the supremacy of the first domain at least for several months allow a huge number of fraudsters to carry out such operations. That is, the algorithms and policies of Yandex for changing the main mirror are critical vulnerabilities.
If representatives or employees of Yandex read this, please bring the information to the people responsible for this functionality. I just want this vulnerability covered. It doesn’t matter - by introducing the ability to re-stick back, new instructions for technical support, or at least an information letter wherever possible about re-sticking the domain, there wasn’t even an informative letter. Even notifications.
I saw by chance.
And if you, dear reader, do not work in Yandex, but you have your own sites, check that webmaster.yandex.ru is not superfluous in the "Users managing the site" section.
Yandex representatives, please take action in this regard.
1) To give an advantage to the main mirror over the new
2) Confirmation of the change of the main mirror through a letter to the mail
3) Notification of the fact of the change by SMS