Attackers Can Leak Credit Card Information Through Google Analytics

Attackers Can Leak Credit Card Information Through Google Analytics

  • Home
  • Blog
  • Attackers Can Leak Credit Card Information Through Google Analytics

Attackers Can Leak Credit Card Information Through Google Analytics

zemarkhos-blog-attackers-can-leak-credit-card-information-through-google-analytics

Attackers use the Google Analytics service to steal critical information from users on e-commerce sites. In their statement, PerimeterX, Kaspersky and Sansec companies stated that attackers were able to retrieve critical information such as credit cards of users by placing malicious code on their website along with the tracking code generated by Google Analytics.

Attackers use the CSP (Content Security Policy) Bypass technique to inject code into their website. CSP is a security measure that helps detect and mitigate threats from code injection attacks. However, attackers can circumvent the CSP measure in the CSP configurations of e-commerce sites that use Google's web analytics service, by whitelisting Google Analytics domains.

The statement stated that in order to capture critical data such as credit card information belonging to users, it is necessary to inject a malicious JavaScript code to the target site. This way, data can be leaked through parameters used by Google Analytics to identify transactions performed on a site. In addition, in order to make the attacks more private, the attackers can continue to attack if the developer mode, which detects network requests and security errors in the users' browsers, is active and the developer mode is not enabled. There is no definitive solution to prevent users from being affected by the attacks. However, in order to avoid being affected by attacks, CSP configurations of e-commerce sites can be edited and while users visit e-commerce sites.