Measurement protocol spam potential

[Willem Paling]

From what I can see, there is no authentication required on the measurement protocol.

Has anyone got any thoughts on the potential for the measurement protocol to be spammed with malicious events?

Say I really hated my competitor, I got their UA number from their e-commerce website, and set up a bot to pound their UA number with random events through the measurement protocol...then their data would be horrible.

Say...for this site, I can view source and see that the UA number is UA-1044941-16.

I could make 1000 requests to https://ssl.google-analytics.com/collect?v=1&tid=UA-1044941-16&cid=555&t=pageview&dp=%2Fhome and they would be logged as page views on the home page even though it was just some script that I wrote to be annoying.

I know the same problem applies to Google Analytics generally, but if it was to become a problem, we could always filter out the traffic based on the domain. But with the measurement protocol, requests will come from all over the place...so how would we filter out these malicious requests if they happened?

[Matt Clarke]

I have been thinking the same thing, Willem. As you say, it's already possible to do the same with the JS version and has also been possible to do with the same with the unofficial methods for posting data, such as PHP-GA and SSGA. 

It would be great if some kind of protection against black hat analytics hackers could be built in. 

Matt

[Matt Clarke]

Sorry to dredge this one up. Even something as simple as a unique random secret key could solve this, couldn't it? If the admin settings in the GA UI showed a Measurement Protocol key, the user could then add this to any Measurement Protocol requests sent. The API could simply reject any requests made which didn't contain the secret key. 

Matt

[Nick Mihailovski]

We've looked at this.

If you are doing a client-based implementation, as long as you can get the http request from the client, then you can spoof the request.

-Nick

[Willem Paling]

Not really a solution...but a few thoughts that might be relevant.

I've been working on an id broker/measurement protocol proxy – basically it takes requests with a key/value pair to so that my app knows what kind of id we're looking at (from our CRM, an email address, whatever), and maps that to an anonymous UUID. Then it takes any of the measurement protocol params and puts the request together.

This means that all my legit requests will be coming from the same IP. I suppose I could then create a filtered profile based on the IP address. But then that profile would only contain measurement protocol stuff and not the regular analytics.js pageviews etc.

This id broker/proxy could also filter out spammy requests in future, detect unnatural request patters and so on.