Google Analytics tracks users through a client-side javascript that customers place on their site. As is well known in the security community, client-side input cannot be trusted.
So, I was wondering, what prevents the following from occuring:
The only possible protections I can think of are based on HTTP headers and IP address rate limiting, each of which could be avoided through tampering headers and using proxies, respectively.
I ask because I was thinking of writing a similar client-side tracking JavaScript. But thinking about all the security flaws I started to wonder why anyone uses or trusts client-side tracking to begin with.
Analytics 360 protects your website tracking transactions with Secure Socket Layer (SSL) technology and your visitors' information is secure, too. Google does not collect or store any personally identifiable information (PII), including encrypted email addresses.
The key compliance issue with Google Analytics is that it stores user data, including information about EU residents, on US-based cloud servers. On top of that, Google LLC is a US-owned company and subject to US surveillance laws, such as the Cloud Act.
The Google Analytics Platform lets you measure user interactions with your business across various devices and environments. Google Analytics provides the resources to collect, store, process, and report on these user-interactions. You can collect analytics on the client side and on the server side.
IP anonymization is available in Google Analytics for both web and app. Learn how IP anonymization works.
Yes, an attacker can manipulate the requests that are sent to Google's servers.
I am not aware of anything Google does to protect against this. There just isn't a good way to prevent such behaviour.
So why do users still trust GA? A malicious attacker can spoof all request headers, but cannot spoof the IP Address. So even if the reports show lot of traffic, you will very quickly figure out its all coming from the same IP Address. In other words, it is trivial to discount the additional traffic.
Of course someone could run the attack from several machines spread all over the world. You will then see fake traffic from all over the place. You can still catch the malicious traffic by filtering on things like the user agent or other http headers, or other such "signature" unique to the malicious script.
You will say "But someone can write a script that simulates real life like HTTP headers". Sure. But that raises the bar pretty high. You are talking about someone who has access to hundreds of machines all over the world, can write scripts that work for several months to fool you, and can generate random enough data so that you can't filter on any one attribute.
Someone who is that determined can and will have his way.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With