Facebook Pixel and Google Analytics for example give you an API key to identify tracking requests from your website. But what is to stop someone from grabbing the key, spoofing your domain and submitting their own tracking requests?
Asked
Active
Viewed 37 times
0
-
how do you "spoof a domain"? – schroeder Jan 31 '22 at 12:13
-
Change the referrer on the request? – Ian Jan 31 '22 at 12:29
-
Have you looked up how those API keys work and what security exists around them? I'm thinking this is more of a service admin question and not a security question. – schroeder Jan 31 '22 at 12:46
-
https://cloud.google.com/docs/authentication/api-keys?hl=en-GB&visit_id=637792298419116312-3630529100&rd=1 – schroeder Jan 31 '22 at 12:47
-
The same problem that you describe applies to 'click fraud' with Google Adwords, where malicious users automate spoofed third-party requests to Google Adwords' API, to drive up competitors' advertising costs. There is no sure-fire way to prevent this, but Google has implemented tools mitigate this problem based on AI, ML, etc. See https://www.google.com/ads/adtrafficquality/ for more info. – mti2935 Jan 31 '22 at 20:23