Is it possible to hack the adobe analytics js files on client side?

Avatar

yuanb

28-08-2017

We are currently working with the security team to review possible threats and ways to mitigate them. Our implementation uses the Js files.

I'm wondering if it is possible for users to hack the file and mess the data. If it's possible, what are some possible ways to mitigate such threats?

Thanks!

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Gigazelle

Employee

29-08-2017

"Hack" the JS file on just your own machine? There are plenty of tools that allow you to modify JS code on any page you visit. One of the more popular ones is Chrome's developer tools (press F12). You could also download all the page resources (including the DTM scripts), and make any modifications to the Analytics implementation yourself via the local copy you just downloaded. You could alter any eVar value that you'd like, but such is the nature of any client-side JS code.

Hack the JS file remotely so that it applies to all machines that visit your site? The only way I see that happening is if your DTM account was compromised, and your DTM account had the permissions to edit and publish changes.

If you're truly, genuinely concerned that everyone that visits your site is going to commit data fraud and start sending nonsense to your report suite, you are welcome to look into a server-side implementation. All links within the Web server row on this page (Developer​) are options that you can use. Web Server implementations would not allow the client to see or alter Analytics data. However, the need for DTM at that point is minimal, since DTM is for client-side implementations.

Answers (3)

Answers (3)

Avatar

ursboller

MVP

28-08-2017

if you can manipulate the client computer, what you need analytics for? just do whatever you want ...

if you're talking about "special" links containig code in the url which - in combination withvthe analytics library - get executed on the page, i'm pretty sure adobe tested this...

one last thing about prevention: we will implement an  "integrity test", a programm which downlouad the library every few minutes and test the content for any changes. in case of a change to the js-library on akamai, we will get an alarm. this way, we can check immediately if something is wrong.

Avatar

yuanb

28-08-2017

Thanks for the input.

We are implementing using Js. So I'm curious if there is truly a way to "manipulate the javascript on client side by manipulating client computer".

Besides, should the CSP be implemented by Adobe server?

Avatar

ursboller

MVP

28-08-2017

i don't think there is an easy answer, but i'm very interested in the results!

as far as i can see there are the following threats:

1) someone get's into dtm and adds manual code to a dtm-bundle. this way is might be possible to send data to other unwanted recipients.

2) someone finds a way to manipulate the javascript on client side by manipulating client computer (but if someone gets at this point there are better ways to get the desired data)

possible solutions:

1) use library download and install js on local server. test files before go live. see more here: Embed Code and Hosting Options

2) use CSP on web server to gain control over http calls: https://content-security-policy.com/

i love to hear more from adobe ...