Are Google Analytics reports vulnerable to having false data injected by malicious users?
Could a malicious user edit the Google Analytics javascript that runs on your page in order to put some false data in your reports to mislead you?
Yes. It is possible.
JavaScript is a user-editable environment, and Google Analytics does not validate the data.
So, you could just inject JavaScript into the page to send any data you like to peoples' Google Analytics accounts, and there's no "validate" which data is valid and which isn't.
I can pop open DevTools Console on my chrome and just enter in Google Analytics data on any site that uses GA:
_gaq.push(["_trackPageview", "/anything-you-want-to-send"]);
This also applies to people "taking" your Google Analytics snippet to put on your site. Luckily, that type of hostile behavior is filterable, since you can configure Google Analytics to exclude data from foreign hostnames.
Good question, even we had implemented this and had never crossed our mind, maybe this will help to fix it. I must try the duplicate profile and understand it more...
https://web.archive.org/web/20120530210930/http://techhacking.com/2011/01/23/google-analytics-referrer-spammers/
Related
I'm new to chrome extension development. we've needed to trace our customers for out service growth. so we've been wanting to get the metric for retention of our users. but there were some wired thing that same number of users each user type was traced. I attached it below. this is Google Analytics Cohort Analysis of our service.
a screenshot on the google analytics
but I think Event metrics(Behavior > Events) are being collected correctly. screenshot is here.
Google Analytics > Behavior > Events
so I looked for Google Analytics users. and I've figured out that Google’s tracking snippet looks for a tracking cookie on user's device. site address is here. https://www.hotjar.com/google-analytics/glossary/users/
according to these documents, Google uses cookie to distinguish user type between new users and returning user. so I've set the checkProtocolTask option to false into GTM console like this. cuz chrome extension doesn't have http or https protocols.
Google Tag Manager Console
but user cohort is still weird. I really wanna get correct result of new users cohort analysis.
question
why google analytics shows us weird cohort result?
what can I do for this more?
my english ability is not good and I don't know Google Analytics well so my questions are kind of a mess. please understand me 🙏
thanks for reading this question!
Ok, so for Extension tracking, I have never heard of people using GTM for extension tracking. That doesn't sound correct to me. Just because of how GTM deploys analytics, expecting there to be a standard window scope, relying on all the standard window.location values and many other properties and like the resolution, viewport, "this" and such.
Moreover, since you're a JS developer and you're not going to delegate tracking to non-JS devs, you probably want to use GA's measurement protocol directly rather than completely relying on the default library through GTM.
With the measurement protocol, you will be able to explicitly set all the fields you're interested in, including client IDs. You will have to manage user cookies on your side, but it's easier than trying to force web tracking logic to work for extensions.
Here is the parameter reference. It may be very useful to you: https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters
And here is an npm lib that implements measurement protocol. I use it with Node, but it can definitely be used on the front-end too: https://www.npmjs.com/package/universal-analytics
I actually tried quite a bit of npm packages for measurement protocol usage and I found this one the most comfortable for me. There's a lot of them. Feel free to browse.
I am trying to create a trigger for a script in google spreadsheet and upon trying to save the trigger I am getting the following error:
This app is blocked This app tried to access sensitive info in your
Google Account. To keep your account safe, Google blocked this access.
I don't have G-Suite, I don't have an organization, I am simply using my personal Gmail account. I don't have the special account protection thing enabled. I tried using different scripts, even an empty script.
What could be the problem here? I have used scripts and add-ons in the past, but haven't needed triggers yet. Is there another way to run a script daily or monthly, without this trigger functionality?
There is currently a bug
I recommend oyu to "star" it to increase visibility, so it hopefully gets fixed soon.
Try this:
Unable to open Google xlsx spreadsheet / Also Google Drive permission Blocked
The same solution logic can solve this problem.
[ ]
I assume it has something to do with this:
For me Google one Tap stopped working on all my sites that previously worked. I added API HTTP refer to restriction in console.developer.com, but I still get a warning message "The client origin is not permitted to use this API." any thoughts? If you go to the page https://www.wego.com/ you can see that Google one tap still works...
https://news.ycombinator.com/item?id=17044518#17045809
but Google YOLO stop working for everyone. I use it like many people for login and it just stop work.
My domain are obviously added on console.developers.google.com
Any ETA for fix this? Some information would be great for people who rely on it.
Google YOLO is not disabled. It is open to a small list of Google Partners.
The reason you were able to access it earlier was because it was open for a short period of time but the whitelist is now readded/enabled.
Reference:
https://twitter.com/sirdarckcat/status/994867137704587264
Google YOLO was put on whitelist after a client-side exploit became clear to google.
People could cover the login button of the prompt with something like a cookie consent (which we all know people automatically accept).
Therefor people could easily steal their gmail or other details due to this google decided to put it on whitelist and review the sites that are using this technology in order to ensure that they are using it as they should.
Google retroactively labeled One-Tap as a "closed beta".
https://developers.google.com/identity/one-tap/web
The beta test program for this API is currently closed. We are improving the API's cross-browser functionality and will provide updates here in the coming months.
The link for the entire project is currently 404, but the beta statement is visible on the wayback machine.
I am not an engineer but im asking question beyond my understanding. The company i work for recently reported that the Google Analytics often gave us wrong statistics. When i tried to scrawl the website's HTML code , I found that the facebook conversion pixel code was put ahead of the google tag manager code on our website. Does that affect how google analytics work ? In my mind, google analytics suggests us not to put other tracking code to interfere GA.
While it defeats the purpose of tag management systems to have tags outside the tag management container Google Analytics will work just fine with other tracking pixels, and Google certainly does not say anywhere that you should not use other tracking software. Nobody would use GA if it interfered with the normal operations of a website.
So no, the Facebook Pixel will not interfere with GA. You can easily check if the data is transmitted correctly if you use the Chrome extensions that Google provides - look for "Google Tag Assistant", that's the most userfriendly option. Install it via the Google Play Store, it will add a small icon to the right of your adress bar, and if you click the icon you can enable it for any given domain. It will display an error via a red icon if something is wrong, and will give some detailled information about what is being sent to the Google Analytics tracking server. That might help you to find the actual error if there is a problem with data collection (it will not help you to find configuration problems).
How can I get the url of the current page with javascript in Google Sites?
I need to get the full url of current page with all parameters.
window.location.href return http://nosuchhost.invalid:80.
It happens in Google Sites only, in Google blogs window.location.href works fine.
You can't run javascript in a google site.
It won't work as I don't think Google Sites will ever offer JavaScript.
What you have to remember is that your Google Site is always at a
google.com address and, therefore, many people, firewalls and virus
checkers automatically trust everything at a google.com address:
Javacript can deliver malicious code, so it's never going to happen.
You should be able to add the javascript through a gadget.
and...
As Steegle has noted, we won't be adding JavaScript anytime soon to
the capabilities of Sites.