2

Google analytics offers functionality to track specific events happening on your site using javascript calls like this :

ga('send', 'event', 'button', 'click', 'nav buttons', 4);

This is documented here : https://developers.google.com/analytics/devguides/collection/analyticsjs/events

I am wondering if this is secure?

Couldn't a user just open the javascript console in the chrome web tools and make random calls to ga passing in random parameters and mess up our sites analytics!?

Or a more frustrating user could even add a little javascript loop and run the placement of infinite calls to ga event tracking?

It seems ludicrous if this is the case! This kind of thing needs to be server side in my opinion. I am just confused that google would offer this client side option without considering accuracy and security! Have I missed something!?

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
RenegadeAndy
  • 5,440
  • 18
  • 70
  • 130
  • 1
    `Have I missed something!?` – indeed. You missed that analytics is for analytics, not for verifying that user has payed for your merchandise or something like that. And from analytics standpoint, fraction of users who will intentionally mess with it for any reason is negligible. – EugZol Aug 28 '15 at 17:21
  • 1
    But what use is analytics to anybody - if they are easily something that can be messed with. The analytics is only if they are accurate and can be trusted. Neither of which google analytics driven from the clients browser is. – RenegadeAndy Aug 28 '15 at 17:25
  • Honestly, I don't find your line of thought reasonable. Main and only purpose of Google Analytics is to get an insight of what you user *is actually doing on his computer*. And of course you have no control on what he does. If you find out that he fires off events via script, and not via keyboard and mouse, well, that's what he does. – EugZol Aug 28 '15 at 17:31
  • Technically speaking you don't need to use JavaScript view source on a web page get the web property id and everything can be inserted using https://developers.google.com/analytics/devguides/collection/protocol/v1/ – Linda Lawton - DaImTo Aug 31 '15 at 11:30

1 Answers1

3

As the commenters have mentioned, you really shouldn't be using Google Analytics to verify anything and always treat the data with a pinch of salt.

However your assumption is correct and this is a problem right now. I've not experienced a targeted attack but there is no reason this couldn't happen. To see this in action in your account you'll likely find a number of spam referrals.

Acquisition > All Traffic > Referrals

enter image description here

The reason this is now more widespread than it has ever been is due to the Google Analytics Measurement Protocol where spammers can actually cause problems with your Google Analytics data without even visiting your website (the spam is done sequentially with Analytics ID's!).

The fix? Unfortunately there isn't one if someone has targeted your website specifically, as currently there is currently no way of differentiating the hits (or only accepting authenticated server side hits). For referral traffic you can try an include filter on "hostname" (as this spam typically won't know/provide a domain for the hit) or chase the referrals with a never ending exclusion list.

williamvicary
  • 805
  • 5
  • 20