I use statcounter to determine page usage on some of my websites. One such website is whatismyip.ie. This site, which I have yet to properly work on, determines the IP address of users machines. But that’s not really that interesting…yet.
What is interesting is the vulnerability of the statcounter system which allows normal users to very easily override the statcounter settings on a given web page. For example, on the homepage of whatismyip.ie I have code which calculates how many hits that page has received. My statcounter project for the said domain is set not to display any visual representation of hits on the site. I hate sites that have visual counters. They’re tacky out. So what is this….
The code above indicates the amount of hits that whatismyip.ie has received. Fantastic! If anybody wanted to find out my hits, all they have to do is view the page source and remove the &invisible=1 part from the img url and hey presto you can view something which I never really wanted you to view.
How handy is that?
Is this a vulnerability? It’s certainly displaying something which I hadn’t wished for anyway.
If you're new here, you may want to subscribe to my RSS feed. Thank you for visiting! Cormac
2 responses so far ↓
In an email I received back from Statcounter they basically said to edit the html so that when you publish their code on your site you remove any refernce to the img url.
Why can’t they do that on their end when they ask you if you want the image to be displayed or not? If they’re just going to change the variable &invisible= to either 0 or 1 then that is hardly secure.
[...] I so far have Google Analytics, Statcounter and Firestats installed on my blog to illustrate my statistics. A tad too much? Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages. [...]
Leave a Comment