Quick announcement for those using Google Website Optimizer,
We just received an email from the Google Website Optimizer team informing us of a potential security issue. There is a vulnerability in the Website Optimizer Control Script where an evil person could be able to execute malicious code on a site using a Cross-Site Scripting (XSS) attack. Per Google’s statement, “This attack can only take place if a website or browser has already been compromised by a separate attack. While the immediate probability of this attack is low, we urge you to take action to protect your site.”
Google’s email alert also stated that the bug was fixed and that all new experiments (starting today and moving forward) are not susceptible. Google does recommend that any experiments currently running should be updated (see instructions below) and any paused or stopped experiments created before December 3, 2010, should be removed or updated as well.
Google strongly recommends creating a new experiment (versus remove and replace) as a way to update the code. Here are directions provided by Google in the email:
Creating a New Experiment
- Stop any currently running Website Optimizer experiments
- Remove all the Website Optimizer scripts from your site
- Create a new experiment as normal. New experiments are not vulnerable.
Google said that “your experiment will continue as normal after you’ve made this update. There’s no need to pause or restart the experiment.”
Google’s Website Optimizer is a great (free) tool for improving website conversions. We strongly recommend using it. But as with any plug-ins and scripts, you have to stay up-to-date with security patches to ensure a safe user experience and secure business.