No joke: Google’s April Fool’s prank inadvertently broke site’s security

An April Fool's prank Google pulled two weeks ago inadvertently broke some of the site's security, an error that briefly allowed so-called click-jacking exploits that trick users into performing undesired actions such as changing their user preferences.

Google's April Fool's pranks have become a favorite pastime on the Internet. This year, people who visited the site on April 1 found the entire contents of Google's iconic home page displayed backwards. Web developing nerds also found a line in Google's Web response headers that read "!sLooF LIRPA YPPAH," which spells "Happy April Fool's" backward. According to a blog post published Friday by researchers from Netcraft, the prank also caused Google's homepage to omit a crucial header that's used to prevent click-jacking attacks.

Attackers could have seized on the omission of the X-Frame-Options header to change a user's search settings, including turning off SafeSearch filters. The chief reason for using X-Frame-Options is to prevent the use of HTML iframe tags to display Google's homepage on third-party Web pages. With that protection bypassed, attackers were free to stitch the Google page into their own site and embed hidden code that changed the function of certain links. As the Netcraft blog post explained:

Read 1 remaining paragraphs | Comments