Hacker News new | past | comments | ask | show | jobs | submit login

Worth noting that, since the Analytics ID is the publicly visible, anyone can load Google Analytics on their own site using that ID. No FBI connection required.

This is called Analytics hi-jacking and it was once (still is) a common spam technique: Create site buy-my-stuff.net, load a bunch of hijacked analytics scripts there, and then the owners of those accounts will see “but-my-stuff.net” in their analytics reports.

Edit: As commenter lmgk reminded me, you don’t even need to make a site, just use the API to make pageview calls.




Is it not possible to whitelist your own domains in Google Analytics? Forgive my ignorance, I don't use it at all.


You don't need to host a site. The data format to send data into Google Analytics is an open API (called the Measurement Protocol). You can just ping Google's servers directly with the appropriate payload, which include crafted URL parameters.


The actual google analytics account has a setting admins can control to only allow data from specific domains though this can be faked.

Also, usually these IDs are copied when someone clones a website they want to steal the design of but they don’t bother updating the style or JS.


Any info about what domain is being visited would be client side, which could be easily changed.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: