Security issue in Website Optimizer - Real or Fake?

by Mukul Verma

Posted: 13 years ago 14 replies

INTERNET MARKETING

I got this email from google this morning (well is it google).

I gotta say I am questioning it, but it is one of the best fake emails I have seen, but it gets better.

---------------
Security issue in Website Optimizer

Dear Website Optimizer user,

We are writing to inform you of a potential security issue with Website Optimizer. By exploiting a vulnerability in the Website Optimizer Control Script, an attacker might be able to execute malicious code on your site using a Cross-Site Scripting (XSS) attack. This attack can only take place if a website or browser has already been compromised by a separate attack. While the immediate probability of this attack is low, we urge you to take action to protect your site.
We have fixed the bug, and all new experiments are not susceptible. However, any experiments you are currently running need to be updated to fix the bug on your site. Additionally, if you have any Website Optimizer scripts from paused or stopped experiments created before December 3, 2010, you will need to remove or update that code as well.
There are two ways to update your code. You can either stop current experiments, remove the old scripts, and create a new experiment, or you can update the code on your site directly. We strongly recommend creating a new experiment as it is the simpler method.
Creating a New Experiment
1. Stop any currently running Website Optimizer experiments
2. Remove all the Website Optimizer scripts from your site
3. Create a new experiment as normal. New experiments are not vulnerable.
Updating the Website Optimizer Control Script Directly
1. Locate the Control Script on your site. It looks like this:
A/B Test Control Script

<script>
function utmx_section(){}function utmx(){}
(function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie; function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
length+1,j
d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utm xx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1 )):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script><script>utmx("url",'A/B');</script>

Multivariate Test Control Script

<script>
function utmx_section(){}function utmx(){}
(function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie; function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
length+1,j<0?c.length:j) } var x=f('__utmx'),xx=f('__utmxx'),h=l.hash;
d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utm xx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1 )):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script>

2. Locate the following in the Control Script: return c.substring(...
3. Modify the following line as shown:
BEFORE: return c.substring(i+n.length+1,j<0?c.length:j)
FIXED: return escape(c.substring(i+n.length+1,j<0?c.length:j))
Make sure to include the final closing parenthesis ")"
Fixed A/B Control Script

<script>
function utmx_section(){}function utmx(){} (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie; function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);
return escape(c.substring(i+n.length+1,j<0?c.length:j)) } } }
var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utm xx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1 )):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script><script>utmx("url",'A/B');
</script>

Fixed Multivariate Control Script

<script>
function utmx_section(){}function utmx(){}
(function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie; function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);
return escape(c.substring(i+n.length+1,j<0?c.length:j)) } } }
var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utm xx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1 )):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script>

Note that the k=XXXXXXXXX line in the above Control Script examples is a placeholder.
Your experiment will continue as normal after you've made this update. There's no need to pause or restart the experiment.
We're committed to keeping Website Optimizer secure, and we're deeply sorry for this issue. We will continue to work hard to prevent future vulnerabilities.

Sincerely,
Trevor
Google Website Optimizer Team

----------------------------

I google it to see if its real and a # of sites are saying it is real
"Security issue in Website Optimizer" - Google Search

hhmmm....I think that whoever behind this also knows people will do that and has dominated google search before others post.

Is it real or not real? I am not sure, but I would think other warriors have got it as well.

Cheers,
Mukul

#fake #issue #optimizer #real #security #website

WillR 13 years ago

Well that makes two of us. I posted this thread earlier today...

http://www.warriorforum.com/main-int...optimizer.html
- Thanks
Signature

.
âž¨ Here's How to Make Your First $177 Online
This Week Using the Piggyback Method...

.
{{ DiscussionBoard.errors[2977484].message }}
Mukul Verma 13 years ago

Not to self, read other posts....

I hope we get some responses on it since I dont think we are alone
- Thanks
- 1 reply
Signature

Learn How To Get Over 1 Million FREE, TARGETED VISITORS TO YOUR WEBSITE

Internet Marketing
{{ DiscussionBoard.errors[2977519].message }}
- NoOne1 13 years ago
  
  Found this forum through a Google search regarding the same email, which I also received.
  
  But, one thing stands out - the email I received and the one noted above uses the term Website Optimizer with a Z, but the one pasted by WillR uses an S:
  
  Security Issue in Website Optimiser
  
  Dear Website Optimiser user,
  
  We are writing to inform you of a potential security issue with Website Optimiser. By exploiting a vulnerability in the Website Optimiser Control Script, an attacker might be able to execute malicious code on your site using a Cross-Site Scripting (XSS) attack. This attack can only take place if a website or browser has already been compromised by a separate attack. While the immediate probability of this attack is low, we urge you to take action to protect your site.
  
  Just seems odd.......why wouldn't ALL emails be EXACTLY the same?? And are all the scripts the same?
  
  Thanks
  
  2 replies
  
  {{ DiscussionBoard.errors[2977930].message }}
  
  Mukul Verma 13 years ago
  
  Thats a good catch.
  
  Thanks
  
  Signature
  
  Learn How To Get Over 1 Million FREE, TARGETED VISITORS TO YOUR WEBSITE
  
  Internet Marketing
  
  {{ DiscussionBoard.errors[2977953].message }}
  
  WillR 13 years ago
  
  Originally Posted by NoOne1
  
  But, one thing stands out - the email I received and the one noted above uses the term Website Optimier with a Z, but the one pasted by WillR uses an S:
  
  I am located in Australia guys. We spell optimiser with an 'S' not a 'Z'. This tends to make me believe this email is legitimate. I don't think a spammer would waste their time with this.
  
  Ah well, easiest way is to just cancel any tests you have running and re-deploy them I guess.
  
  Thanks
  
  Signature
  
  .
  âž¨ Here's How to Make Your First $177 Online
  This Week Using the Piggyback Method...
  
  .
  
  {{ DiscussionBoard.errors[2979930].message }}

Caleb Spilchen

13 years ago

I got it with a Z in it.

Security issue in Website Optimizer
<img alt="Google Website Optimizer" align="right" width="232" height="30"> Dear Website Optimizer user,
We are writing to inform you of a potential security issue with Website Optimizer. By exploiting a vulnerability in the Website Optimizer Control Script, an attacker might be able to execute malicious code on your site using a Cross-Site Scripting (XSS) attack. This attack can only take place if a website or browser has already been compromised by a separate attack. While the immediate probability of this attack is low, we urge you to take action to protect your site.
We have fixed the bug, and all new experiments are not susceptible. However, any experiments you are currently running need to be updated to fix the bug on your site. Additionally, if you have any Website Optimizer scripts from paused or stopped experiments created before December 3, 2010, you will need to remove or update that code as well.
There are two ways to update your code. You can either stop current experiments, remove the old scripts, and create a new experiment, or you can update the code on your site directly. We strongly recommend creating a new experiment as it is the simpler method.
Creating a New Experiment

Stop any currently running Website Optimizer experiments
Remove all the Website Optimizer scripts from your site
Create a new experiment as normal. New experiments are not vulnerable.

Updating the Website Optimizer Control Script Directly

Locate the Control Script on your site. It looks like this:

A/B Test Control Script

<script>
function utmx_section(){}function utmx(){}
(function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie; function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
length+1,j<0?c.length:j) } var x=f('__utmx'),xx=f('__utmxx'),h=l.hash;
d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utm xx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1 )):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script><script>utmx("url",'A/B');</script>

Multivariate Test Control Script

<script>
function utmx_section(){}function utmx(){}
(function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie; function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
length+1,j<0?c.length:j) } var x=f('__utmx'),xx=f('__utmxx'),h=l.hash;
d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utm xx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1 )):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script>

Locate the following in the Control Script: return c.substring(...
Modify the following line as shown:
BEFORE: return c.substring(i+n.length+1,j<0?c.length:j)
FIXED: return escape(c.substring(i+n.length+1,j<0?c.length:j))
Make sure to include the final closing parenthesis “)”

Fixed A/B Control Script

<script>
function utmx_section(){}function utmx(){} (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie; function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);
return escape(c.substring(i+n.length+1,j<0?c.length:j)) }
var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utm xx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1 )):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script><script>utmx("url",'A/B');
</script>

Fixed Multivariate Control Script

<script>
function utmx_section(){}function utmx(){}
(function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie; function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);
return escape(c.substring(i+n.length+1,j<0?c.length:j)) }
var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utm xx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1 )):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script>

Note that the k=XXXXXXXXX line in the above Control Script examples is a placeholder.
Your experiment will continue as normal after you’ve made this update. There’s no need to pause or restart the experiment.
We’re committed to keeping Website Optimizer secure, and we’re deeply sorry for this issue. We will continue to work hard to prevent future vulnerabilities.

Sincerely,
Trevor
Google Website Optimizer Team

Thanks

Signature

Canadian Expat Living in Medellin, Colombia

{{ DiscussionBoard.errors[2977959].message }}

Caleb Spilchen 13 years ago

Note that the e-mail is actually encoded in base64. View original in GMAIL.
- Thanks
Signature

Canadian Expat Living in Medellin, Colombia
{{ DiscussionBoard.errors[2977971].message }}
Mukul Verma 13 years ago

So is this deal or fake?
- Thanks
- 1 reply
Signature

Learn How To Get Over 1 Million FREE, TARGETED VISITORS TO YOUR WEBSITE

Internet Marketing
{{ DiscussionBoard.errors[2978025].message }}
- Caleb Spilchen 13 years ago
  
  Originally Posted by Mukul Verma
  
  So is this deal or fake?
  
  Look at how its an S here as well
  
  Security Issue In Google Website Optimiser
  
  Thanks
  
  1 reply
  
  Signature
  
  Canadian Expat Living in Medellin, Colombia
  
  {{ DiscussionBoard.errors[2978048].message }}
  
  NoOne1 13 years ago
  
  Just my opinion, but I think the discrepancy in the emails says to me it's a fake.
  
  Thanks
  
  {{ DiscussionBoard.errors[2978075].message }}
Caleb Spilchen 13 years ago

Official Google Website Optimizer Blog

And youd think they would have a blog post about it as well.
- Thanks
Signature

Canadian Expat Living in Medellin, Colombia
{{ DiscussionBoard.errors[2978102].message }}
Bane 13 years ago

Actually, the descrepancy could be cause by geotargetting on their end.

If you live in US, you get a Z, if you live in england, you get an S.

Google have been doing that with all their mails for a long time now, and if anything causes me to suspect this is legit as opposed to fake.
- Thanks
- 1 reply
Signature

Who is Bane?
My 200th post to the community.
{{ DiscussionBoard.errors[2978322].message }}
- WhamSoft 13 years ago
  
  Hi Guys,
  
  I think this is 100% real and not a fake email.
  
  I received the same email for two of my separate accounts.
  
  And by chance I'd setup a new optimizer test late last night, after checking when I got the email this morning I have the updated code.
  
  I'd check and update your websites accordingly. If your still skeptical you can stop your current test and setup a new test with the new updated code.
  
  Regards
  Lee
  
  Thanks
  
  Signature
  Free Download: 101 Traffic Tips Report
  
  Special: Get More VIDEO VIEWS For a Flood of Traffic & Sales
  Popular: 110+ Automated Do-Follow Backlinks
  
  Console Repair: Xbox 360 Repair - NDS Repair - PS3 Repair - Wii Repair
  
  {{ DiscussionBoard.errors[2978493].message }}
newayexpress 13 years ago

I also have one. Becareful...
- Thanks
{{ DiscussionBoard.errors[2978476].message }}

Security issue in Website Optimizer - Real or Fake?

Trending Topics

How do I effectively build and nurture an email list for affiliate marketing purposes?

Are Solo ADs the Most Cost Effective Way to Promote your Product?

Are billboards still effective in driving customers?

Been a while! Any of you Old Timers here?

How much does the rebranding affect CR ?