zlacker

[return to "Show HN: I made a privacy-first minimalist Google Analytics"]
1. whylo+P9[view] [source] 2018-09-19 15:29:55
>>Adriaa+(OP)
This is a great idea and I love the design.

It looks like anyone can see the stats for any domain using the service without any authentication. I added the tracking code to my domain and was able to hit https://simpleanalytics.io/[mydomain.co.uk] without signing up or logging in. I was also able to see the stats for your personal site.

Is that intentional? If it is, it seems like an odd choice for a privacy-first service. If not, it seems like quite a worrying oversight in a paid-for product.

◧◩
2. aemble+xd[view] [source] 2018-09-19 15:55:37
>>whylo+P9
I see what you mean https://simpleanalytics.io/adriaan.io
◧◩◪
3. donalt+de[view] [source] 2018-09-19 16:01:01
>>aemble+xd
Some people are taking advantage of this to leave messages for us: https://simpleanalytics.io/simpleanalytics.io

Edit: It seems to have been filtered now, but people were using spoofed referer headers to leave offensive messages for HN users.

◧◩◪◨
4. whylo+Ve[view] [source] 2018-09-19 16:06:32
>>donalt+de
Yeah, I saw that too. Someone tested for XSS in the referer too (<script> tag) but luckily it was escaped
[go to top]