Learn how to build up your site’s defense against bad actors exploiting Google Analytics to access shopper data.
Making recent eCommerce security headlines is the case of bad actors exploiting Google Analytics (GA) to bypass Content Security Policies (CSPs) and inject malicious code onto sites to steal shopper data. By using GA as an entry vehicle, hackers are taking advantage of the estimated 29.1 million sites currently using the tool. These attacks have already affected several dozen eCommerce sites selling digital equipment, cosmetics, food products, spare parts, etc. Because shoppers are always entering personal data like credit card information and login credentials, these sites are commonly targeted by hackers.
CSP is an absolute necessity for eCommerce sites. It is part of a layered approach to security; CSP’s job is to block resources from being loaded and/or executed on domains that shouldn’t be. So, in circumstances where malicious code evades other safeguards and gets on to your site, the CSP will block that code from sending any information to a domain that is not whitelisted. It takes a zero-trust policy approach, and anything that’s not listed as part of the CSP policy is blocked. This covers a lot of cases, but in the case mentioned above, sites that use GA have whitelisted the google-analytics domain, and therefore the threat is not blocked by the CSP.
Any sites using GA or other analytics systems should be addressing this vulnerability as soon as possible. And although this may seem like a novel approach, this exploitation technique is not a new concept, and brands should always be aware of and ready for this type of threat across their eCommerce properties.
Sites can have multiple unknown UA codes at any time, often tracking information from 3rd parties, etc. This could happen in multiple different ways — either maliciously or just by accident. People can make mistakes that cause issues and open up security holes. But in this specific exploit, there are two actions that need to be taken to build a good defense:
Don’t let malicious code access your shoppers’ personal data. This can include credit card information, username, password, and anything that someone would type into a form or select from a drop down.
In the screenshot below, we can see how this 3rd party governance solution can lockdown access to the ccnumber input field to only allow code coming from the host domain. This means that unless the code was loaded from the website’s domain, it will block any access to the information inside of it:
Not only should you have visibility and control into where resources are executed on your site, but it’s also necessary to scrub your domain requests. By looking at the info being sent to Google, and to which UA code, you’ll have the ability to determine if the request needs to be terminated or not. Continuous fine-tune scrubbing of requests will give you full and constant visibility into what’s happening on your site.
The truth is, there is no “cover-all” solution for these types of security threats, but by building up your defense with CSPs and a 3rd party governance solution, you can minimize the chances of these attacks happening to you. Every eCommerce site should be using a CSP as a layer of their security strategy, and a 3rd party governance tool can take your CSP beyond its limitations to address the GA (and many other) vulnerabilities. As mentioned earlier, any site using GA needs to act now!