All geek questions in one place

Are Javascript analytics scripts susceptible to light hacking?

In production environments, Javascript-based analytics scripts (Google Analytics, Facebook Pixel, etc.) are introduced into most web applications along with a unique Javascript ID / Pixel ID.

For example, airbnb uses Google Analytics. I can open the dev console and run

setInterval(function() {ga('send', 'pageview');}, 1000);

which will cause the analytics pixel to be requested every 1 second, forever. This is 3600 requests per hour from my car.

This can now be easily done in a distributed manner, triggering millions of queries per second, completely distorting the Google Analytics data for the pageview event. I understand that the huge amount of data collected will correct this bias to a certain extent, but this can easily be compensated by raising the number of requests.

My question is: Are there any precautions to prevent competitors or malicious individuals from destroying the integrity of these applications in this way? Does GA or Facebook provide such options?

+5
source share
1 answer

Yes, but the insecure part is not suitable for Javascript. For example, you can use the measurement protocol to collect data for one account. Here you can see many people in the same community who have understudies with this (and it's quiet, just decide). https://stackoverflow.com/search?q=spam+google+analytics

All of these measurement systems use HTTP calls to populate the data in your "database." If you can build the right call, you can spam everyone everywhere (but don’t do it, not evil).

https://developers.google.com/analytics/devguides/collection/protocol/v1/?hl=es-419

This Google Analytics page explains what a protocol dimension is, Javascript only works as a framework for creating and submitting hits.

https://developers.google.com/analytics/devguides/collection/protocol/v1/?hl=es-419

But not all is lost. For example, if you try to do this in your browser with this code, the limit for Google Analytics FrameWork will be 1 call per second and 150 per session (or cookie value). Yes, it is not difficult to overcome this barrier, but after that other barriers will come.

So, if you use the Javascript framework, it is safe. Now imagine that you are doing the same with python by sending HTTP to a Google Analytics server. It is possible, but: So, here are two important points.

  • Google Analytics has an active "firewall" to detect spammers and block them. (How and when they do it not publicly), but in my case I see much less spammer that several years ago.

  • There are also some good practices to avoid this. For example, save only domains under the white list by creating a filter that allows only traffic from your domain https://support.google.com/analytics/answer/1033162?hl=en

  • It is also very useful to protect e-commerce by using a filter to include only data from a particular store or with a specific parameter such as brand == my brand or CustomDimension == true. Exclude transactions with products over $ 1,000 (check your limits and apply proactive filters). This whole barrier made the complex break.

If you do this, you will protect your domain a lot (because it is too difficult to know the UA + Domain Valid combination when you create a robot), but you know that the whole system can be damaged. In my experience, I see only 2 or 3 cases of damage from a spammer or people who want to do harm, and in this case it would be possible to prevent if I created a proactive filter. Usually spam only spam ads in your account, almost never want to harm you. Facebook, Piwik and other tools are more or less the same.

+1
source

Source: https://habr.com/ru/post/1265535/

More articles:


All Articles