Hacking Google Analytics
April 10th, 2006Update: See below the original post for a workaround this.
Most of you will have at least one friend who is obsessed with the web stats program. That may very well be me. If you want to have some fun with said friend, read on.
I was looking at the "Content by Titles" report on Google Analytics and noticed a page title that didn't seem to belong to my website. I opened the site via FTP to make sure I hadn't uploaded a page that shouldn't be live. Nothing. So back into Google Analytics I went, I wanted to know why this page was generating hits.
It turns out that someone had copied the source code of my Google Maps housing project and was hosting it on their own website, but forgot to remove my Analytics references. Whenever someone hit the page on their site, it would thus register as a hit in my analytics. My first response was to try and contact the company. All email addresses and phone numbers on their website were un-responsive or gave server errors. I did a Who-Is lookup only to find more un-responsive email addresses (to make a long story short, I still havn't been able to get in contact with them).
But what really interested me was how easily you could scew a websites statistics by simply adding a couple lines of javascript to the source code of your own site. If your website generated enough traffic, you could effectively render a target websites Analytics meaningless.
Could it really be that simple?
Turns out it is. Want to scew the statistics of a friends website, how about a competitor? Look up their source code, plug it into your website header and laugh. But don't worry you could run multiple accounts, and hit them both on each page. That way you can keep your stats flowing just like normal.
Drawbacks
With any hack there are consequences. The most significant of which would be your competitor/friend having access to some pretty personal statistics. Somehow you want to be able to generate a lot of meaningless hits, without giving away your stats!
Analytics uses Javascript to register a 'hit'. In the source code a call is made that pings Google's servers.
urchinTracker();
So one call = 1 hit. How about 2 calls? How about 200 calls?
urchinTracker(); urchinTracker(); urchinTracker(); urchinTracker(); urchinTracker(); ...
UPDATE 7:30pm April 11th, 2006
I just recieved an email from Google with some guidelines on how you can avoid these problems. I'm going to use it, and some of you may need it now also. I was really impressed by the response time on the issue.
TerrillRegarding your post: http://terrill.ca/posts/google_analytics.html
Google Analytics can easily filter on a speficic domain so you can avoid this problem. We don't apply this filter by default because many of our users like to track multiple domains.
Here is a help article that describes how to do it:
Link To Help PageAs a best practice, we generally recommend people set up their reports with this filter to avoid the problem of other people stealing their web pages and accidentally grabbing their Google Analytics tracking code. But as someone in a user forum pointed out regarding this post, it can be a handy way of discovering sites who "borrow" your site design and content.