No website, service, or platform is immune to being abused or exploited by hackers, and Google Analytics is no exception. To better understand how Google Analytics can help deliver payloads and bypass security protocols, one might want to learn how to use Google Analytics from a user's perspective first.
Google Analytics Abuse & Vulnerabilities
Detectify showed how Google Analytics could be used for data extraction by taking advantage of a site's Content Security Policy, where it's not abnormal to trust everything coming in or out from a google-analytics.com domain. Hackerone has even paid a bug bounty for these types of hacks.
Black hats once stole banking and credit card info for online users of VisionDirect, a contact lens dealer. They used an omission-based URL phishing scheme in a Magecart attack to make google-analytics.com look like g-analytics.com, to place malicious JavaScript code to steal the financial data whenever it was entered onto the site. A homoglyph-based URL would have been even harder to detect.
In an oldie but goodie, a security researcher used a blind cross-site scripting attack, with the payload in a Google Analytics report attachment sent via email that had ..
Support the originator by clicking the read the rest link below.
