We are currently working with the security team to review possible threats and ways to mitigate them. Our implementation uses the Js files.
I'm wondering if it is possible for users to hack the file and mess the data. If it's possible, what are some possible ways to mitigate such threats?
Thanks!
Solved! Go to Solution.
"Hack" the JS file on just your own machine? There are plenty of tools that allow you to modify JS code on any page you visit. One of the more popular ones is Chrome's developer tools (press F12). You could also download all the page resources (including the DTM scripts), and make any modifications to the Analytics implementation yourself via the local copy you just downloaded. You could alter any eVar value that you'd like, but such is the nature of any client-side JS code.
Hack the JS file remotely so that it applies to all machines that visit your site? The only way I see that happening is if your DTM account was compromised, and your DTM account had the permissions to edit and publish changes.
If you're truly, genuinely concerned that everyone that visits your site is going to commit data fraud and start sending nonsense to your report suite, you are welcome to look into a server-side implementation. All links within the Web server row on this page (Developer) are options that you can use. Web Server implementations would not allow the client to see or alter Analytics data. However, the need for DTM at that point is minimal, since DTM is for client-side implementations.
i don't think there is an easy answer, but i'm very interested in the results!
as far as i can see there are the following threats:
1) someone get's into dtm and adds manual code to a dtm-bundle. this way is might be possible to send data to other unwanted recipients.
2) someone finds a way to manipulate the javascript on client side by manipulating client computer (but if someone gets at this point there are better ways to get the desired data)
possible solutions:
1) use library download and install js on local server. test files before go live. see more here: Embed Code and Hosting Options
2) use CSP on web server to gain control over http calls: https://content-security-policy.com/
i love to hear more from adobe ...
Views
Replies
Total Likes
Thanks for the input.
We are implementing using Js. So I'm curious if there is truly a way to "manipulate the javascript on client side by manipulating client computer".
Besides, should the CSP be implemented by Adobe server?
Views
Replies
Total Likes
if you can manipulate the client computer, what you need analytics for? just do whatever you want ...
if you're talking about "special" links containig code in the url which - in combination withvthe analytics library - get executed on the page, i'm pretty sure adobe tested this...
one last thing about prevention: we will implement an "integrity test", a programm which downlouad the library every few minutes and test the content for any changes. in case of a change to the js-library on akamai, we will get an alarm. this way, we can check immediately if something is wrong.
Views
Replies
Total Likes
"Hack" the JS file on just your own machine? There are plenty of tools that allow you to modify JS code on any page you visit. One of the more popular ones is Chrome's developer tools (press F12). You could also download all the page resources (including the DTM scripts), and make any modifications to the Analytics implementation yourself via the local copy you just downloaded. You could alter any eVar value that you'd like, but such is the nature of any client-side JS code.
Hack the JS file remotely so that it applies to all machines that visit your site? The only way I see that happening is if your DTM account was compromised, and your DTM account had the permissions to edit and publish changes.
If you're truly, genuinely concerned that everyone that visits your site is going to commit data fraud and start sending nonsense to your report suite, you are welcome to look into a server-side implementation. All links within the Web server row on this page (Developer) are options that you can use. Web Server implementations would not allow the client to see or alter Analytics data. However, the need for DTM at that point is minimal, since DTM is for client-side implementations.
I am very sad to see what you are experiencing.
Hacking sometimes does harm other people. I can't help you much, because I only know about Cara Hack FB. Which my friend once used to hack Facebook accounts.
But I've heard stories from my friend's experience that it can be overcome in many ways.
One of them uses the Forgot Password method. Or maybe answer the Security Question as well. Also Two Factor Authentication.
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies