I don’t see how this service checks if the website is supposed to be using it. So it seems any website can get all this information and use it to track users.
As it says in the article, the application doesn’t check at all which website connects to it. It seems that they rely on their obfuscation, hoping that only eligible websites will be able to decrypt the data. Which, quite frankly, is a stretch.
The idea was that random, unauthorized websites can access the JSONP endpoint but can't use the data because it is encrypted. Which, as the author explained, might have worked - had they not completely botched the encryption by using an extremely short asymmetric key for one set of data and symmetric keys for the other two pieces.
