It was found earlier this week that there were security issues around two Google products – Google Website Optimizer and Goo.gl URL. While the Goo.gl URL is not exactly a Google issue (it is with people using Goo.gl URL (Google's URL shortener) at Twitter to steal their Twitter passwords). However, the Google Website Optimzer is(Google's issue).
In regard to the Website Optimizer issue, Google sent out an email to notify affected the users about a potential security issue with the Website Optimizer Control Script, I also received the mail. The mail explained on how to modify the current experiments to make sure that there is no malicious code on site. Google says that the probability of this attack is very low but at the same time urged Website Optimizer users to take immediate action by updating their Control Scripts. In addition, Google also said that action has been taken by them to fix the issue and that all new experiments created after December 3 are not susceptible. As per the repair action, there are two ways to update the code:
- Stop current experiments, remove the old scripts, and create a new experiment.
- Update the code on your site directly. (Google strongly recommends creating a new experiment as it is the simpler method.)
Also, currently running experiments will continue to run as normal after the update has been made. So, there's no need to pause or restart the whole experiment from the beginning again. At the end of the mail, Google apologized for the issue and assured to prevent such vulnerabilities in future to keep Website Optimizer secure.
The Goo.gl URL issue is being taken care by Twitter with Google having nothing to do with it while the Website Optimizer issue has been solved as well. So, it is 'update and carry on with business' for all the users until maybe another bug or loophole has been spotted again. Hopefully not!