Google Analytics – your stats are at risk of getting spammed

I came across a surprising issue with Google Analytics yesterday when a client contacted me, it appeared page hits were getting logged for dozens of pages that don’t exist on his website.

While I thought about the possibility of some PHP vulnerability or other security issue on the server, it occurred to me that obviously these pages had to exist somewhere for the Google Analytics tracking code to get executed.

I started doing a little detective work by Googling the file names of some non-existing pages that showed up in the stats. Soon enough I found one obscure enough to only come up with a few hits.

When checking the source code for that page the problem was obvious, the website was using the same Google Analytics tracking ID my client had on his website. It didn’t appear to be anything malicious, maybe them making a typo or some HTML code getting ripped from my clients site and reused without realizing the tracking code was still in there.

The consequence though is some completely messed up statistics — I am baffled Google doesn’t do a 404 check on pages that get tracked or even a referrer check to see if the domain corresponds with the domain the tracking ID was registered to.

It leaves my client having to filter out dozens of non-existing pages, even worse on pages that have the same path and filename. For those there seems to be no clear way of figuring out what hits came from one website and what page hits from the other.

In my honest opinion this is a pretty serious issue that needs to be addressed, if nothing else it leaves Google Analytics open to unscrupulous characters to spam your visitor stats.


8 thoughts on “Google Analytics – your stats are at risk of getting spammed

  1. Fabian says:

    Google Analytics fail :/ Maybe its time I try out another system like Whoopra or something. Its scary when I think about how much faith I put in Google to do handle things for me. Feedburner, Gmail, Google Feeds, Google Analytics.. shocking really!

  2. Zeh says:

    Maybe a better solution (even if not a real solution) would be to just create a new code and move tracking to that new code. But yeah, they should at least add some kind of referral check.

  3. […] morning Peter Else posted an article on his blog (viewable here) about the potential for someone to use another person’s Google Analytics tracking number for […]

  4. @Peter Good catch Pet!
    @Fabian I use Woopra for my blogs and its awesome. Especially the LIVE feature.. Love it so far.

  5. Jensa says:

    I’ve kind of given up on trusting Google. I use both Google Analytics and Google Urchin on my server. Urchin is the software that analytics is built upon, but the main difference is that Urchin is installed on the server. Urchin constantly reports more than twice the unique visitors that Analytics does. So who do I trust – Google or Google?

    To test a little, I’ve now installed a third system. This reports somewhere in between the other two… I guess statistics are always misleading. What is it they say there’s lies, damn lies and statistics? 🙂


  6. K Irizawa says:

    Wow. That’s an amazing story. I’ve had my server hacked once and found my traffic spike up, but never heard of such case like this until now. Unless you create another profile and migrate the code, I hope either that site fixes it or Google utilize 404… Sorry to hear about that.

  7. […] > Google Analytics – your stats are at risk of getting spammed | Peter Elst […]

Comments are closed.

%d bloggers like this: