Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security on Google Analytics and other client-side analytics tools?

Google Analytics tracks users through a client-side javascript that customers place on their site. As is well known in the security community, client-side input cannot be trusted.

So, I was wondering, what prevents the following from occuring:

  • Malicious users faking requests to give misleading information to a website owner. For example, they might make them think that most people go to page A rather than page B, which messes up their entire analytic understanding of their web traffic
  • Malicious users who simply make the website think they're getting a lot more traffic than they are, making them think they have more traction than they do. This would really mess up a pitch to investors when the traffic starts going downhill at a later point.
  • Malicious users who simply flood the logs, making any sort of analytics impossible.

The only possible protections I can think of are based on HTTP headers and IP address rate limiting, each of which could be avoided through tampering headers and using proxies, respectively.

I ask because I was thinking of writing a similar client-side tracking JavaScript. But thinking about all the security flaws I started to wonder why anyone uses or trusts client-side tracking to begin with.

like image 999
bgcode Avatar asked Feb 06 '12 19:02

bgcode


People also ask

How secure is Google Analytics?

Analytics 360 protects your website tracking transactions with Secure Socket Layer (SSL) technology and your visitors' information is secure, too. Google does not collect or store any personally identifiable information (PII), including encrypted email addresses.

What is the biggest privacy concern with Google Analytics?

The key compliance issue with Google Analytics is that it stores user data, including information about EU residents, on US-based cloud servers. On top of that, Google LLC is a US-owned company and subject to US surveillance laws, such as the Cloud Act.

Is Google Analytics client-side or server side?

The Google Analytics Platform lets you measure user interactions with your business across various devices and environments. Google Analytics provides the resources to collect, store, process, and report on these user-interactions. You can collect analytics on the client side and on the server side.

What privacy protection tool does Google Analytics 4 offer?

IP anonymization is available in Google Analytics for both web and app. Learn how IP anonymization works.


1 Answers

Yes, an attacker can manipulate the requests that are sent to Google's servers.

I am not aware of anything Google does to protect against this. There just isn't a good way to prevent such behaviour.

So why do users still trust GA? A malicious attacker can spoof all request headers, but cannot spoof the IP Address. So even if the reports show lot of traffic, you will very quickly figure out its all coming from the same IP Address. In other words, it is trivial to discount the additional traffic.

Of course someone could run the attack from several machines spread all over the world. You will then see fake traffic from all over the place. You can still catch the malicious traffic by filtering on things like the user agent or other http headers, or other such "signature" unique to the malicious script.

You will say "But someone can write a script that simulates real life like HTTP headers". Sure. But that raises the bar pretty high. You are talking about someone who has access to hundreds of machines all over the world, can write scripts that work for several months to fool you, and can generate random enough data so that you can't filter on any one attribute.

Someone who is that determined can and will have his way.

like image 55
Sripathi Krishnan Avatar answered Sep 24 '22 02:09

Sripathi Krishnan