Security Issue in Google Website Optimizer


Google has identified a bug in Website Optimizer, its website testing and optimization tool, which means that it is vulnerable to a cross-site scripting (XSS) attack. While the likelihood of such an attach is quite low, because it can only take place if a website or browser has already been compromised by a separate attack, and Google has already fixed the bug in its code so that new experiments are not vulnerable, users should update existing Website Optimizer code on their sites, and remove any stopped or paused experiments created before Dec. 3 to make sure they are not susceptible.

In an email sent to users, Google noted that Website Optimizer code can be updated either by making a fix to existing JavaScript control codes running on the site, or by stopping current experiments, removing the scripts and creating new experiments to replace them. Google recommends using the latter method, as it’s much simpler.

Photo courtesy Flickr user .Bala

Related content from GigaOM Pro (sub. req.):


Comments have been disabled for this post