Google Analytics by Yoast
This Plugin HAS A HUGE Security Flaw.. No Answer Yet??? (6 posts)

  1. wallydavid
    Posted 1 year ago #

    DO NOT use this plugin if:
    A.) You manage multiple clients SEO in a single analytics account and
    B.) you are a developer handing a site over to a end user.

    I posted this here: http://wordpress.org/support/topic/the-settings-show-my-clients-all-of-my-accounts?replies=1 and here: http://wordpress.org/support/topic/menu-settings-show-clients-all-accounts?replies=1 and have not received an answer yet.

    Basically if you are a developer managing seo for multiple sites through a single google analytics account (which many agencies do), when you authenticate your account and choose the client in your analytics, when you hand the site over to the end user, the end user can choose the plugin from the menu, click the drop down list of sites available with that authentication and SEE all the other analytics accounts tied to that account and even change their site to another clients site. Doesn't seem like you should be able to do that.

    I have not seen a fix for this yet other than once it is set to remove it from the menu so there is no access to it any more.


  2. esmi
    Forum Moderator
    Posted 1 year ago #

    Please contact plugins at wordpress dot org with full details.

  3. SoCalCreations
    Posted 1 year ago #

    I don't think this is a security flaw with this plugin as much as it is your agencies misunderstanding of how Google Analytics (GA) new interface works.

    If I understand you correctly,
    - You Build a Site, add client GA tracking number to your agency GA account, then install (GA) tracking number (UA-XXXXXX-X) through this plugin
    - Hand the site over

    This is where I think the mistake is, if I understand you post correctly.

    Installing the tracking should be done by your agency of course, but with the new owner/companies email and their own account with Google Analytics.
    On their (clients)(GA) account you must add your agencies account email information in the 'Account Permissions' under the 'User Management'. Your agency email will get a confirmation email to link to the client (GA) account. From there, you can now see your clients analytic reports from your own agency (GA) page and they can not see any other customer sites analytics.

    By installing GA on your agencies account and then assigning your clients email to see their analytics is fundamentally backwards and would create that 'security flaw' you are concerned with.

    I hope that helps you.

    FYI Google is doing training on GA starting next week on 10/8/2013, for more info go to https://analyticsacademy.withgoogle.com/preview

  4. RyanKent
    Posted 1 year ago #

    I wish WP.org would add a LIKE button because SoCalCreation's reply is perfect.

    The GA plugin by Yoast is excellent.

  5. webavant
    Posted 1 year ago #

    I am also having this problem. I chose my own profile, and now my client sees my sites. There is no way to remove it, not even by uninstalling and deleting the plugin. Where is this plugin storing my auth token? I have tried many sql queries, including

    select option_value from wp_options where option_value like '%google%';

    Which I thought would at least return something, but there is nothing. Please respond. I must remove my Google Analytics API auth token from my site. I have even disabled the app in my Google account security settings, and this plugin is still displaying the GA accounts from my profile, despite that I have denied it the privilege of doing this. I have emptied cache/cookies.

    If you think this is not a security problem, then please reconsider that it continues to access information from my profile without having approval, leaving no obvious way to remove it. All I ask is show me how to remove the auth token, and perhaps consider adding some options in the dashboard to purge that data.


  6. esmi
    Forum Moderator
    Posted 1 year ago #

    @webavant: As per the Forum Welcome, please post your own topic.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Google Analytics by Yoast
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic


No tags yet.