Users of Google Website Optimiser were sent an email this week from the Google engineering team regarding a serious security issue in Website Optimiser.
A vulnerability in the Website Optimiser’ control script makes it possible for hackers to break into any site using the code and then make use of the site to launch a cross-site scripting (XSS) attack.
In other words, hackers can exploit the Google code vulnerability to send out malicious material in the form of email spam or embedded viruses from any site that is using the code, which could then destroy important data on the computers of visitors to those websites.
The good news is that this can be done only if the website or browser has been previously compromised during an earlier attack. Moreover, Google have detected the issue and are proactively informing webmasters about the potential problem. The Website Optimiser team suggests that the possibility of such a thing happening is low. Nevertheless, it would be wise to take appropriate precautions before it is too late.
The bad news is that Google could potentially drop the affected website from its organic rankings for hosting the malicious code that was introduced in the first place via a vulnerability in Google’s own programming!
Any Website Optimiser experiments that may have been created before the 3rd of December 2010, even if they have been paused or stopped, should either use new code provided by Google or should stop the experiment completely. remove all the old code from the site and create a new experiment in its place. It would be easier to create a new experiment than to update the code directly on the site.
New experiments created after the 3rd of December 2010 are safe from the possibility of an XSS attack as the Website Optimiser team has already patched the vulnerability to protect new experiments.