Google Security Issue #3: Light CSRF on Google Analytics

July 14, 2011

Light meaning the damage is minor, but still a CSRF. You could delete all scheduled e-mails, this is how it used to work:

If you go to Google Analytics->My Customization->Email.
The following call is not protected:

This works even without the pdr parameter. So you only need to know the id and you can iterate with emailId from 0 to whatever, deleting all the scheduled emails.

Following is a plausible scenario on how you can get the id and execute the CSRF at the same time:

  1. Attacker builds a page that extracts from the Refere the needed id and using the id iterates emailId from 0 to n issuing unprotected delete email calls like the one above.
  2. Attacker makes sure he visits the victims site from his attack page.
  3. Victim opens Analytics->Traffic Sources->Referring Sites.
  4. Victim clicks on the link to the attacker page thus setting the referrer to something like this:
  5. The attacker page deletes all data from Scheduled Emails.

© 2023,