What’s the big deal? I mean, this script only collects visit statistics, so who cares? Problem is however that this script gets the same kind of access to the web page as the web page’s own scripts. And that means that it can theoretically steal your authorization cookies, or send your password to a third party when you log in or just plainly alter web page content to display a fake news message. And nobody will notice because even if somebody looks at that script — it is obfuscated, noticing an important behavior change is everything but trivial.
In short, Google isn’t doing the Web a favor by pushing its various services like Google Ads, Google Analytics or Google Gadgets as script includes. Of course, Google isn’t alone here, but Google happens to be the most common source of third-party script includes from what I can see, and as such it has a bigger responsibility. Now that Adblock Plus 1.0 is released, I can recommend adding this filter to the Adblock Plus filter list:
This might break a few websites but that should be pretty uncommon and in my opinion the security gain by far outweighs the issues.
Update (2009-01-13): Adblock Plus 1.0.1 now makes it is easier to fix the false positives in this filter, you can add a
domain option to disable the filter on some domains that won’t work otherwise. For example:
Commenting is closed for this article.