Google announces a security issue with its Website Optimiser
Wednesday 08 December, 2010
An email was sent out today by Google informing that they have discovered a security issue with their Website Optimiser script. Googles Website Optimiser is a tool that allows you to test and optimise your website content to help increase traffic to your web site. The vulnerability in Googles Website Optimiser Control Script, is that it was written in a way that allows a hacker to execute malicious code on your site using a Cross-Site Scripting or XSS attack. Google have now changed the script and are asking Website Optimiser users to upgrade to the new script. Google have not indicated how many Website Optimiser tool user websites have been affected, but advise that the probability of this attack is low. The good news is, Your Online Shop ecommerce websites are NOT affected, as this code is not used on any ecommerce website created by us. If you think you are using Google Website Optimiser on an ecommerce website designed Your online shop, please contact me and I will look into it for you.
Here is an excerpt from the email sent by Google.
"We are writing to inform you of a potential security issue with Website Optimiser. By exploiting a vulnerability in the Website Optimiser Control Script, an attacker might be able to execute malicious code on your site using a Cross-Site Scripting (XSS) attack. This attack can only take place if a website or browser has already been compromised by a separate attack. While the immediate probability of this attack is low, we urge you to take action to protect your site."
We have fixed the bug, and all new experiments are not susceptible. However, any experiments you are currently running need to be updated to fix the bug on your site. Additionally, if you have any Website Optimiser scripts from paused or stopped experiments created before 3 December 2010, you will need to remove or update that code as well."