Comment by whylo
7 years ago
This is a great idea and I love the design.
It looks like anyone can see the stats for any domain using the service without any authentication. I added the tracking code to my domain and was able to hit https://simpleanalytics.io/[mydomain.co.uk] without signing up or logging in. I was also able to see the stats for your personal site.
Is that intentional? If it is, it seems like an odd choice for a privacy-first service. If not, it seems like quite a worrying oversight in a paid-for product.
I see what you mean https://simpleanalytics.io/adriaan.io
Some people are taking advantage of this to leave messages for us: https://simpleanalytics.io/simpleanalytics.io
Edit: It seems to have been filtered now, but people were using spoofed referer headers to leave offensive messages for HN users.
Yeah, I saw that too. Someone tested for XSS in the referer too (<script> tag) but luckily it was escaped
Part of the offering is transparent (public) analytics
It says there's the ability to make them public, but it doesn't mention that they'll be public by default. Maybe it's different if you sign up first before adding the tracking code, but it's odd that I can use the tracking code without signing up for the trial.