Google AdWords Security Issue: Website Optimizer

This morning Google AdWords began sending out security issues in regards to their Website Optimizer feature.  If you’re not familiar with this tool, Optimizer (or Optimiser as it says in many of our MCC accounts because we apparently signed up for AdWords under a British link way back when) allows you to perform A/B split tests in order to increase conversion rates on your landing pages.

This has always been one thing that’s made me uneasy about using third-party codes on our and our clients’ sites, although it’s always a trade-off.  I’ve had sites hacked that didn’t have any third-party code on them, so go with your gut.  At least with AdWords, you know it’s something they’re constantly monitoring with some of the smartest Web engineers in the world – even if the Chinese government is purposefully hacking into their systems.

(BTW, shameless plug for a friend’s new novel.  If cyber-terrorism scares you – and really it should – this is a fantastic read.  Even set in West Virginia, though that’s not where the author is from.  Check out The Chinese Conspiracy by John Mariotti.  No compensation for this – he doesn’t even know I’m posting it.)

According to the email, if you have installed any Optimizer code that was created prior to December 3rd, you need to update and they recommend creating a new experiment, though you can also do a workaround to use the same experiment.  But if you want to do it the hard way, here’s how:

• Locate the Control Script on your site. It looks like this:

A/B Test Control Script
<!-- Google Website Optimizer Control Script -->
<script>
function utmx_section(){}function utmx(){}
(function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash;
d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script><script>utmx("url",'A/B');</script>
<!-- End of Google Website Optimizer Control Script -->

Multivariate Test Control Script
<!-- Google Website Optimizer Control Script -->
<script>
function utmx_section(){}function utmx(){}
(function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash;
d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script>
<!-- End of Google Website Optimizer Control Script -->

1. Locate the following in the Control Script: return c.substring(...
2. Modify the following line as shown:
   BEFORE: return c.substring(i+n.length+1,j<0?c.length:j)
   FIXED: return escape(c.substring(i+n.length+1,j<0?c.length:j))
   Make sure to include the final closing parenthesis “)”

Fixed A/B Control Script
<!-- Google Website Optimizer Control Script -->
<script>
function utmx_section(){}function utmx(){} (function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);
return escape(c.substring(i+n.length+1,j<0?c.length:j))}}}
var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script><script>utmx("url",'A/B');
</script>
<!-- End of Google Website Optimizer Control Script -->

Fixed Multivariate Control Script
<!-- Google Website Optimizer Control Script -->
<script>
function utmx_section(){}function utmx(){}
(function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);
return escape(c.substring(i+n.length+1,j<0?c.length:j))}}}
var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script>
<!-- End of Google Website Optimizer Control Script -->

Note that the linek=XXXXXXXXX in the above Control Script examples is a placeholder.

Good luck.  Whichever way you decide to go, please update now!

To get more information on this topic, contact us today for a free consultation or learn more about our status as a Google Partner Agency before you reach out.