Defense in Depth: Google Analytics Security Vulnerabilities for eCommerce
Making recent headlines is the case of bad actors exploiting Google Analytics (GA) to bypass Content Security Policies (CSPs) and inject malicious code onto sites to steal shopper data. By using GA as an entry vehicle, hackers are taking advantage of the estimated 29.1 million sites currently using the tool. These attacks have already affected several dozen eCommerce sites selling digital equipment, cosmetics, food products, spare parts, etc. Because shoppers are always entering personal data like credit card information and login credentials, these sites are commonly targeted by hackers.
CSP is an absolute necessity for eCommerce sites. It is part of a layered approach to security; CSP’s job is to block resources from being loaded and/or executed on domains that shouldn’t be. So, in circumstances where malicious code evades other safeguards and gets on to your site, the CSP will block that code from sending any information to a domain that is not whitelisted. It takes a zero-trust policy approach, and anything that’s not listed as part of the CSP policy is blocked. This covers a lot of cases, but in the case mentioned above, sites that use GA have whitelisted the google-analytics domain, and therefore the threat is not blocked by the CSP.
Looking for more control and visibility of what’s being loaded onto your eCommerce site? Learn what you can do.
Any sites using GA or other analytics systems should be addressing this vulnerability as soon as possible. And although this may seem like a novel approach, this exploitation technique is not a new concept, and brands should always be aware of and ready for this type of threat across their eCommerce properties.
Because Yottaa works with eCommerce brands, we see sites with multiple unknown UA codes all the time, often tracking information from 3rd parties, etc. This could happen in multiple different ways — either maliciously or just by accident. People can make mistakes that cause issues and open up security holes. But in this specific exploit, there are two actions that need to be taken to build a good defense:
1. Control access to personal data
Don’t let malicious code access your shoppers’ personal data. This can include credit card information, username, password, and anything that someone would type into a form or select from a drop down.
In the screenshot below, we can see how Yottaa’s eCommerce governance solution, SERVICE CTRL, can lock down access to the ccnumber input field to only allow code coming from the host domain. This means that unless the code was loaded from the website’s domain, it will block any access to the information inside of it:
2. Scrub domain requests
Not only should you have visibility and control into where resources are executed on your site, but it’s also necessary to scrub your domain requests. By looking at the info being sent to Google, and to which UA code, you’ll have the ability to determine if the request needs to be terminated or not. Continuous fine-tune scrubbing of requests will give you full and constant visibility into what’s happening on your site.
Build up your defense
Yottaa’s SERVICE CTRL can easily do all this and more for your eCommerce site. SERVICE CTRL enables brands to control when and where all services and code are being executed, including 3rd parties and internal services you intend to have on site, as well as services that are not welcome and should be blocked.
The truth is, there is no “cover-all” solution for these types of security threats, but by building up your defense with CSPs and SERVICE CTRL, you can minimize the chances of these attacks happening to you. Every eCommerce site should be using a CSP as a layer of their security strategy, and SERVICE CTRL can take your CSP beyond its limitations to address the GA (and many other) vulnerabilities. As mentioned earlier, any site using GA needs to act now, and Yottaa’s innovative approach to deploying CSP can help.
Get in touch to learn more about how Service CTRL can help your eCommerce site.