Security issue in Website Optimizer

In what is a rare move Google has directly reached out via email to those who are currently running Website Optimiser tests that there is in fact a major vulnerability in their Website Optimiser Control script, where a hacker can potentially execute malicious code on your site.  The attack can be done via a Cross-Site Scripting or XSS attack but Google advises that this would only be the case if your browser or website has already been compromised by a a previous attack.

The email advises the attack is low but it seemed urgent enough that they notified users direct via email and did not just respond by their standard blog posts, so the proactive nature is welcome.  The issue is that it appears that the bug was fixed after the 3rd of December but when you login to your website optimiser account there is no notifications or warnings that you should update your code.  Google advises that you either stop running current experiments, remove their old a/b testing and multivariate testing scripts shown below and create a new experiment or just update the website optimiser code directly.

<!– Google Website Optimizer Control Script –>

// <![CDATA[
function utmx_section(){}function utmx(){}(function(){var k=’XXXXXXXXXX’,d=document,l=d.location,c=d.cookie;function f(n){if(c){var i=c.indexOf(n+’=’);if(i>-1){var j=c.indexOf(‘;’,i);return c.substring(i+n.length+1,j<0?c.length:j)}}}var x=f(‘__utmx’),xx=f(‘__utmxx’),h=l.hash;d.write(”)})();
// ]]>//

<!– End of Google Website Optimizer Control Script –>

There is no official word on the Google blog covering the security issue and it appears to be only sent to those who have an existing experiments running, but does highlight the bigger issue that can blogs with non-active experiments still be at risk from the Cross-Site Scripting attacks.  Google advise that any scripts from paused or stopped experiments created before 3rd December 2010 you need to remove or update that code also, which is going to have implications for large websites who may have the website optimiser code on hundreds or pages and sites.

Also thanks to Trevor Claiborne at the Google Website Optimiser Team for sending out the email, it would be great if they can send it to all Website optimiser accounts who are still at risk because they might have the old testing code in place.

UPDATE# As per the comments below, appreciate the reach out from Vinny from the Google Analytics Singapore team who has sent through the link to the official Google post on the bug.

7 comments

  1. Patrick says:

    Hi there,

    got the same mail in German (live in Germany), but as you said, there is no official word on the google blog :( as long as I cant see anything about it, I would’nt do anything..

    Do you have any other informations about that? Any official statement?

    • David says:

      Hello Patrick,

      Yes I agree it’s interesting as it came through on an old email account for a US website but I agree it’s annoying that there is no official word yet, but why would someone goto so much trouble to fake it? I’ve reached out to a contact at Google who will hopefully be able to get back with something more official.

      David

  2. casey g says:

    I am questioning the validity of this email. NOWHERE on googles sites does it mention this email. Which in my opinion means its a fake. Google is not stupid and I don’t believe they would reach out in this fashion. It would be posted on an official google site, and then linked to for more info in the email body. Is this a hoax??? I’m sure questioning it.

    • David says:

      Hello Casey,

      I think if it is a real security threat it’s a smarter way to notify users as not everyone will visit the Google blog’s regularlly but most people are fairly ontop of checking emails, will try and see if I can get an update this morning.

      David

  3. Hi David,

    There is official word up now on the Google Website Optimizer blog at http://websiteoptimizer.blogspot.com/2010/12/update-your-website-optimizer-scripts.html Hope that helps!

    Cheers,
    Vinny
    Google Analytics Team

    • David says:

      Vinny,

      Thank you for the update on the official post, it should confirm with a few people that it’s a real bug not just a fake email. Also for those members in Asia Pacific region they can obviously follow you on Twitter as @Vinoaj to keep in the loop on any future news and updates related to our region around Google Analytics.

      David

  4. […] Security Issue in Website Optimiser – This was a nice breaking news piece that focused on an urgent update from Google […]