Lance Ramoth

San Mateo, CA

gmail: lance.ramoth

twttr: @lance_ramoth

Interests

Design, Code, & Human Behavior

Photography

Portfolio

Stuff I've Built

Fotoblur

Wireblur

Wireblur News

Publications

Fotoblur Magazine

Subscribe

RSS

Why is StumbleUpon Stealing Your Google Analytics Data?

Something is wrong with this picture. StumbleUpon badges send your Google Analytics cookies back home.

We have StumbleUpon share badges on many content pages on our site. The other day I noticed that the scripts loaded by this badge was generating the following error in webkit browsers: Unable to post message to http://www.stumbleupon.com. Recipient has origin .... This looks like a cross domain communication issue.

So I looked into the JavaScript they dropped on our pages which is where this gets more interesting. (Get script by curling the following url: http://www.stumbleupon.com/hostedbadge.php?s=5)

Here is the most interesting pieces of the code in the getData method. It essentially grabs your Google Analytics cookies and returns them to the caller. 

var utmcc = "";
var ga_cookies = {'__utma': true, '__utmb': true, '__utmc': true, '__utmz': true };
var cookies = document.cookie.split(';');
for(var i=0; i < cookies.length; i++)
{
    var pos = cookies[i].indexOf('=');
    if (pos == -1) continue;
    var cookie_name = cookies[i].substring(0, pos);
    var cookie_value = cookies[i].substring(pos);
    if(ga_cookies[cookie_name] === true)
    {
        utmcc += (utmcc ? ";" : "") + cookie_name + "=" + cookie_value;
    }
}
params['utmcc'] = utmcc;

Then the following code is executed when the window loads which then sends your Google Analytics data back to StumbleUpon. 

window.onload = function() {
	...
	try {
        	var data = getData();
        	top.postMessage(data, 'http://www.stumbleupon.com/');
        } catch (err) {}
}

On a side note, according to Mozilla Developer Network, window.postMessage is a method for safely enabling cross-origin communication. Cross domain messaging is part of the HTML5 spec.

This looks very suspicious to me. What is StumbleUpon doing with our Google Analytics data? Do they have permission to just grab it without telling us? What is even more interesting is that an ex-Googler now works at StumbleUpon. He also worked on the Google Analytics product.

If I've made some sort of error here, or you have more information about this, please email me. I'll quickly update this post.

Edit: To prevent SU from collecting your user's Google Analytics data for your domain add this simple patch. Add this code snippet (in script tags) anywhere after SU's button script: 

window._loadCalled = true;

Posted by Lance Ramoth on Oct 27, 2011