3 points by powersnail 2 days ago | 3 comments
It struck me today that a lot of public web pages have analytics, and these pages do not require a login. Hence, the analytics API must accept collected data without authentication.
What stops a malicious actor from calling those APIs and feeding them garbage?
ThePhysicist 2 days ago | prev | next |
Bot detection. If someone has residential proxies and can forge millions of IPs you're out of luck and have to analyze the call pattern or other data to remove the bots, if it's data center IPs you can remove them quite easily without the log quality being impacted as most users have residential IPs.
tobinfekkes 2 days ago | prev |
.... Hence why I never trust analytics data. It's too easily gamed, and a bad metric from which to base decisions.
XCSme a day ago | next |
> What stops a malicious actor from calling those APIs and feeding them garbage?
Isn't that true for any service or API that collects data? If a bad actor wants to spam it with useless info, they can always find a way to do it.
You can filter out a lot of bad data with UA bot detection and maybe rate limits per IP, but if someone really wants to spam your service, they can always do it.
GA already has a lot keyword/referrer spam, where you saw as referrers some dodgy websites.