How to hijack all traffic and all clients from Yandex with only a webmaster?

I will now publish the method of hijacking all search traffic and all clients of any site using Yandex in 5 minutes without any knowledge if you have access to one ONLY Yandex Webmaster. Unfortunately, site owners may suffer from this, but I just don’t see any other way out. At the moment, Yandex technical support simply closes the eyes to the problem. I am not sure that the problem is known to management at all and whether the information goes further than Platonov and therefore I have to publish this vulnerability in order to attract Yandex’s attention to it as soon as possible and save as many sites as possible.


Let's be honest - a Yandex Webmaster account is quite easy to get during any work or by offering a free audit to the site owner. The Webmaster service itself is perceived by the owners as informational, and often they do not know about it at all. And they do not know for sure that with the help of this service it is possible to take away all positions and all traffic to the site from the search.

It's like the keys to an apartment. When I give them, I expect that you can go in there and break something there, ok, I'm ready for it. But the current bug allows you to rewrite the apartment to yourself and very few people are ready for this when they give the other person the keys.
')
Let's take it in order. I will say right away - the site of my friend, not your own.

I go see the traffic from various sources in Yandex Metric and see that the traffic from Yandex dropped to zero a little more than a week ago. I think maybe some kind of problem, I go to Yandex Webmaster to study the problems and I see that the site is in the list as a child, which is not the main mirror of some third-party domain on which there is a non-functional copy of the stolen site.

I look at the list of accesses in Yandex Webmasters - there is a third-party user there. I delete the user, delete his meta tag and confirmation file, change all passwords in a circle.

I am looking for where the main mirror is indicated - I find the “Mirror posting” point there and try to unstick it. It turns out that you can not glue sites until they return the same content.

That is, Yandex does not recognize any supremacy of the site created earlier, as soon as a new mirror was indicated to it - it is not possible to return it back.



Discussion of the issue with technical support was reduced only to the fact that they could not help.

So how to steal something?

• Please open Yandex Webmaster to see the statistics or add it yourself through the confirmation file if you are given access so that you change the phone in the header (I exaggerate)
• We deploy a simple copy of an external site or a real copy if we had access to the files.
• Send a request for transfer via Yandex Webmaster

After this, Yandex throws out the old site from the search completely and shows all the search queries for the new site.

More transparent?

Any person with any level of knowledge can create an account on freelancing or a topic on the forum indicating that he is building a personal brand and is ready to take several orders for reviews and a portfolio for website development, layout, editing, auditing, change the phone in the header, etc. And just upload the file or meta confirmation tag and re-paste the site to the new domain.

So dozens of sites a day can be stolen.

This not normal. In this case, the Yandex policy and the lack of supremacy of the first domain, at least for a few months, allow a huge number of scammers to conduct such operations. That is, the algorithms and policies of Yandex for changing the primary mirror are critical vulnerabilities.

If representatives or employees of Yandex read this, please convey the information to the people responsible for this functionality. I just want to cover this vulnerability. It doesn’t matter - by introducing the possibility of re-sticking it back, with new instructions for technical support or, at least, with an information letter wherever possible about domain plywood, there wasn’t even an informative letter. Even notifications.

I saw it by chance.

And if you, dear reader, do not work in Yandex, but you have your own websites - check that webmaster.yandex.ru has no extra people in the “Users who manage the site” section.

Yandex representatives, please take action on this.

My suggestions:
1) Give the advantage of the main mirror over the new
2) Confirmation of the change of the main mirror through a letter to the mail
3) Notification of the fact of the change by SMS