I’m a huge fan of Google Website Optimizer. But I’m rather troubled that Google have not been more upfront about a security vulnerability discovered this week:

Website Optimizer Bug Requiring Immediate Attention
On November 7 (PST), we became aware of a bug in Website Optimizer that makes your experiment pages vulnerable to tampering. We have now identified the problem and created a fix (information below). However, to correct this problem you must manually modify the control scripts on all of your experiment pages. You should implement this fix as soon as possible on all past and present experiment pages. Note that this bug only affects experiments created before November 9 (PST)

I’m running a GWO test on a site and only just discovered the vulnerability when I’ve logged in to check stats. That means Google have known the site is vulnerable for at least two days.

Why no email warning GWO users, Google?

Update: 10 minutes after I posted this, I received email notification from Google - two days after the vulnerability was identified…

This entry was posted on Friday, November 9th, 2007 at 9:43 pm and is filed under Tools. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.