ArsTechnica.com published an article that a Google April Fools prank actually pranked their own security. The error allowed a click – jacking exploit that tricks users into changing things they don’t want changed. Apparently hackers would be able to incorporate Google into their own site and embed code that would change functionality.

From the article:

An April Fool’s prank Google pulled two weeks ago inadvertently broke some of the site’s security, an error that briefly allowed so-called click-jacking exploits that trick users into performing undesired actions such as changing their user preferences.

Google’s April Fool’s pranks have become a favorite pastime on the Internet. This year, people who visited the site on April 1 found the entire contents of Google’s iconic home page displayed backwards. Web developing nerds also found a comment in the web page itself that read “!sLooF LIRPA YPPAH,” which spells “Happy April Fool’s” backward. According to a blog post published Friday by researchers from Netcraft, the prank also caused Google’s homepage to omit a crucial header that’s used to prevent click-jacking attacks.

Attackers could have seized on the omission of the X-Frame-Options header to change a user’s search settings, including turning off SafeSearch filters. The chief reason for using X-Frame-Options is to prevent the use of HTML iframe tags to display Google’s homepage on third-party Web pages. With that protection bypassed, attackers were free to stitch the Google page into their own site and embed hidden code that changed the function of certain links. As the Netcraft blog post explained:

Read the full article on ArsTechnica