Statcounter users: hacker warning!Monday, August 29, 2005
If you use Statcounter for your hit counter, beware.
Previously I'd noticed that sometimes I got referrals to my blog from statcounter.com/counter/counter.js and there wasn't any real explanation that made sense for it, on the Statcounter forum (e.g. see this thread.) So when I wrote up a summary of common Statcounter referers, I left that as a mystery.
In fact, I've since heard that that referral signifies an attempted account hijack. Apparently it's very easy for hackers to retrieve your counter info and they might even hold your account and sniff for keystrokes, pretending to be a .cgi page at Statcounter. Techie details are at this insecure.org page (and no, I don't understand most of it myself!).
Bottom line is, hackers could find out your Statcounter username and password.
That insecure.org page says that Statcounter have fixed this vulnerability. But I know that some people aren't too sure about how secure they really are, still.
What to do? For starters, if you installed your Statcounter code before April 2005, get ye to the Statcounter installation page pronto and update the Statcounter code in your template (it's the spanner icon next to the project for your blog in the projects list, or in the left hand top corner of the page in most views, click Install Code and make sure you update the Statcounter code in your template to the latest version of the code).
Second, if you use the same username/password for Statcounter as you do for your other Web accounts, don't! Change them (especially if you've encountered the statcounter.com/counter/counter.js referer in your own Statcounter logs). Make sure your Statcounter user/password are different from what you use for your other online accounts.
Finally, you might think twice about continuing to use Statcounter for your hit counter, unless they can assure us all that they have really secured their site and their code. I'm still using them for now because my password for Statcounter is unique and my Statcounter account as far as I can see hasn't been messed with, but I'm certainly going to reconsider my use of Statcounter.
(Thanks to Tab for the heads up on this).
Technorati Tags: Statcounter, Statcounter.com, hit counters, security, hacking, hackers, referers, warning, alert, hacker alert, Improbulus, A Consuming Experience, Consuming Experience