StatCounter.com: “Shut that door!”

It may be free, it may be invisible but reliable it isn’t. At least not yet.

StatCounter.com logoYesterday, our blog stats showed a StatCounter.com page as one of the ‘referring URLs’.

That means someone came to our blog from their StatCounter.com stats page (after I’d visited their site from our site).

In fact, I’d visited their site to get a graphic for our client list. Noticing my visit, they’d clicked backwards to our site. Nothing unusual about that.

What is unusual is what happened when I clicked on the referring URL. I found myself on a StatCounter.com page - logged in to our client’s account!

So, StatCounter.com, if you’re listening: in the words of the legendary Larry Grayson -

“Shut that door!” :-)

July 3, 2008 | Filed Under WOW!, feedback 

Comments

2 Responses to “StatCounter.com: “Shut that door!””

  1. Aodhan Cullen on July 3rd, 2008 11:43 am

    Hi!

    I came across your post, and if I may, I’d like to explain a bit more about this issue.

    The problem you describe ONLY arises if you have cookies disabled when you login to StatCounter. In this case, you are kept logged into StatCounter via a session ID which is not as secure as the cookie method. Please note though, that the session ID does expire after a short period of time.

    For the reason above, we highly recommend users to enable cookies. However even if someone does gain access to your account in the minutes while a session ID is still active, they will be unable to do anything harmful e.g. change your password or delete data – to do this your password must be known.

    I hope this clears things up.

    Aodhan Cullen
    StatCounter CEO

  2. admin on July 3rd, 2008 12:15 pm

    Thanks for the comment, Aodhan (great to see someone’s online reputation monitoring working)

    I’m just the bloke who fell into someone’s house through the back door ;-)

    I think it’s important to point out that I’ve gained entrance to someone else’s account via a ‘referring site’ link in my own Wordpress stats.

    Here’s how it happened:

    1) I put a link to a client on my website
    2) Someone clicked from my site to theirs
    3) My client (signed in without cookies)sees my site URL in his StatCounter.com stats
    4) They click that URL and come to my site
    5) My Wordpress site stats show me a referring URL similar to my9.statcounter.com/project/xyzsomething
    6) I click on that URL
    7) Presto, I’m in my client’s account, signed in

    I think what you’re saying is that I got in because his session ID was active (since he used that method rather than cookies).

    I just tried the link now and found myself not logged in.

    Nonetheless, it still means that IF he’s recently been signed in to StatCounter and IF I click the back link within that time period, I’ll still get in, which I wouldn’t have thought ideal.

    Anyway, hope that helps!

Leave a Reply