Support > Public Speaking

Google Website Optimizer Security Bug and How to Fix It

(1/1)

CREATIVE Options:
Yesterday I received an email as a Google Website Optimizer user sharing that the scripts used on landing pages for GWO tracking can cause a security issue:

    We are writing to inform you of a potential security issue with Website Optimizer. By exploiting a vulnerability in the Website Optimizer Control Script, an attacker might be able to execute malicious code on your site using a Cross-Site Scripting (XSS) attack. This attack can only take place if a website or browser has already been compromised by a separate attack. While the immediate probability of this attack is low, we urge you to take action to protect your site.

Fortunately, Google has addressed the problem, but website owners using Website Optimizer need to fix the test page code immediately. Google suggested you stop current experiments and update the code by creating a new experiment with new code:

    Creating a New Experiment

       1. Stop any currently running Website Optimizer experiments
       2. Remove all the Website Optimizer scripts from your site
       3. Create a new experiment as normal. New experiments are not vulnerable.

However, if you prefer to take the extra steps of leaving your current experiments running and fixing the code, you can also take that approach. Here are the instructions on how to do that from Google:

       1. Locate the Control Script on your site. It looks like this:

    A/B Test Control Script
   
--- Code: ---<!-- Google Website Optimizer Control Script -->
    <script>
    function utmx_section(){}function utmx(){}
    (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){
    if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
    length+1,j<_x0030__x003f_c.length:j_x0029__x007d__x007d__x007d_var x="f('__utmx'),xx=f('__utmxx'),h=l.hash;">
    d.write('<sc'+'ript src="'+
    'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
    +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
    +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
    '" charset="utf-8"></sc'+'ript>')})();
    </script><script>utmx("url",'A/B');</script>
    <!-- End of Google Website Optimizer Control Script -->
--- End code ---

    Multivariate Test Control Script
   
--- Code: --- <!-- Google Website Optimizer Control Script -->
    <script>
    function utmx_section(){}function utmx(){}
    (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){
    if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
    length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash;
    d.write('<sc'+'ript src="'+
    'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
    +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
    +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
    '" charset="utf-8"></sc'+'ript>')})();
    </script>
    <!-- End of Google Website Optimizer Control Script -->
--- End code ---

       1. Locate the following in the Control Script:
--- Code: ---return c.substring(...
--- End code ---
       2. Modify the following line as shown:
          BEFORE:
--- Code: --- return c.substring(i+n.length+1,j<0?c.length:j)
--- End code ---
          FIXED:
--- Code: --- return escape(c.substring(i+n.length+1,j<0?c.length:j))
--- End code ---
          Make sure to include the final closing parenthesis
--- Code: --- “)”
--- End code ---

    Fixed A/B Control Script
   
--- Code: --- <!-- Google Website Optimizer Control Script -->
    <script>
    function utmx_section(){}function utmx(){} (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);
    return escape(c.substring(i+n.length+1,j<0?c.length:j))}}}
    var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+
    'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
    +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
    +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
    '" charset="utf-8"></sc'+'ript>')})();
    </script><script>utmx("url",'A/B');
    </script>
    <!-- End of Google Website Optimizer Control Script -->

--- End code ---
    Fixed Multivariate Control Script
 
--- Code: ---  <!-- Google Website Optimizer Control Script -->
    <script>
    function utmx_section(){}function utmx(){}
    (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){
    if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);
    return escape(c.substring(i+n.length+1,j<0?c.length:j))}}}
    var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+
    'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
    +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
    +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
    '" charset="utf-8"></sc'+'ript>')})();
    </script>
    <!-- End of Google Website Optimizer Control Script -->
--- End code ---

You’ll need to replace the k=XXXXXXXXX in the code above with the appropriate ID from your experiment.
After the code is updated, there is no need to stop the experiments or create new experiments to replace them.
All new experiments starting today will use the new code and thus will not have the security flaw.

Navigation

[0] Message Index

Go to full version