Security on Google Analytics and other client-side analytics tools?

Question

Google Analytics tracks users through a client-side javascript that customers place on their site. As is well known in the security community, client-side input cannot be trusted.

So, I was wondering, what prevents the following from occuring:

• Malicious users faking requests to give misleading information to a website owner. For example, they might make them think that most people go to page A rather than page B, which messes up their entire analytic understanding of their web traffic
• Malicious users who simply make the website think they're getting a lot more traffic than they are, making them think they have more traction than they do. This would really mess up a pitch to investors when the traffic starts going downhill at a later point.
• Malicious users who simply flood the logs, making any sort of analytics impossible.

The only possible protections I can think of are based on HTTP headers and IP address rate limiting, each of which could be avoided through tampering headers and using proxies, respectively.

I ask because I was thinking of writing a similar client-side tracking JavaScript. But thinking about all the security flaws I started to wonder why anyone uses or trusts client-side tracking to begin with.

Answer 1

Yes, an attacker can manipulate the requests that are sent to Google's servers.

I am not aware of anything Google does to protect against this. There just isn't a good way to prevent such behaviour.

So why do users still trust GA? A malicious attacker can spoof all request headers, but cannot spoof the IP Address. So even if the reports show lot of traffic, you will very quickly figure out its all coming from the same IP Address. In other words, it is trivial to discount the additional traffic.

Of course someone could run the attack from several machines spread all over the world. You will then see fake traffic from all over the place. You can still catch the malicious traffic by filtering on things like the user agent or other http headers, or other such "signature" unique to the malicious script.

You will say "But someone can write a script that simulates real life like HTTP headers". Sure. But that raises the bar pretty high. You are talking about someone who has access to hundreds of machines all over the world, can write scripts that work for several months to fool you, and can generate random enough data so that you can't filter on any one attribute.

Someone who is that determined can and will have his way.