Attackers Can Leak Credit Card Information Through Google Analytics
Attackers use the Google Analytics service to steal critical information from users on e-commerce sites. In their statement, PerimeterX, Kaspersky and Sansec companies stated that attackers were able to retrieve critical information such as credit cards of users by placing malicious code on their website along with the tracking code generated by Google Analytics.
Attackers use the CSP (Content Security Policy) Bypass technique to inject code into their website. CSP is a security measure that helps detect and mitigate threats from code injection attacks. However, attackers can circumvent the CSP measure in the CSP configurations of e-commerce sites that use Google's web analytics service, by whitelisting Google Analytics domains.