Want to fuck an S.E.O. over?
Hi,
In the last couple of weeks I’ve spent quite a large amount of time playing with analytics, most specifically Omniture.
I don’t know about other analytics packages (well, I do but I can’t be arsed to think about it), but Omniture has a massive implementation flaw, which of course opens the door for some fun.
There seems to be no security tie between the page containing the beacon and Omniutre, what I mean is, that Omniture servers will accept a beacon ping from anywhere, any page on the internet.
Sooo, for instance, I could wander over to Apple and have a quick shifty at their Omniture beacon and then copy it into any page on the web, and that page would start contributing data into Apple’s Omniture account. They have no domain blacklist / whitelist you see.
So this is where any SEO would start thinking, ‘How can I push this ?’
Well, since the ping to the server is javascript generated, this means you can easily script the beacon transmit function ( s.t() ) to send all manner of fun stuff into the Apple Omniture account.
Obviously, once you can push false stats into a sites analytics, you’re going to be able to generate a shitload of headscratching by anyone within the organisation that spends time analysing those stats for leverage, which is usually the SEO guy.
kekekekekekeke
June 28th, 2010 at 3:43 am
Actually that won’t work if the tool is configured correctly. There are settings in every web analytics tool that allow you to only parse traffic into the database that comes from specific domains. Setting up these filters are quite trivial.
April 14th, 2011 at 12:34 pm
Hey Dustin,
You won’t mind enlightening us about where in SiteCatalyst that setting is then?
(and acually, even that is possibly spoofable since it looks like the url is passed up in the ping as a variable)