Here's a short video explaining the scope of this vulnerability and my initial test:
Something was broken, but it was broken in a weird way...
At first I assumed it was some sort of developer error -- an un-closed <script> tag or something silly that maybe I'd be able to see.
Could you block someone's Facebook pixel half of the time and show your Facebook pixel all the time, so that you could point to an attribution number showing more conversions from "your ads" even though it was just a hidden pixel error? Could you do that with Google Analytics? Could you embed a Google Analytics script that could block the default Shopify Google Analytics script so that only yours fires and with no errors shown in the Google Tag Assistant Chrome plugin?
I wanted to see about that last scenario, since I use Shopify to run this website and I use Google Analytics ... and would prefer an app developer didn't hijack my data...
The second step is to basically choose how much you want to obfuscate the code and how you want to do it -- this is the part that really took a bit of time, and I'm not ready to share my settings because I'm still trying to understand the scope of this problem. But the default settings look like this and you can play around with it in tons of ways:
After a series of tests, I was able to get the hardcoded pixel to fire, while breaking the Shopify Google Analytics pixel added in the admin area, and also preventing any errors in the Google Tag Assistant Chrome extension.
The last point about preventing errors in a popular debugger tool is important -- a lot of analytics and privacy professionals use the same tools -- Ghostery, Google Tag Assistant, Facebook Pixel Checker, etc. But if you can prevent the error from being generated, it's much harder for those people to find the problem. Here's what the pixel hijack looked like ƒrom the debugging side:
The Google Tag Assistant Chrome extension is a great example of how this could impact a debugger because the extension icon has a little number next to the URL bar telling you how many Google pixels are firing. Someone who spends a lot of time on their own website optimizing their data layer would get used to seeing a certain number of those pixels whenever they test, and it's unlikely they would know their Google Analytics property/account ID by memory. So a quick glance at the enabled Google Tag Assistant extension, without the bright red "error" icon, could easily pass muster.
After the tests today, I suddenly trust my favorite data layer Chrome debugging extensions a little less...
Here's a sample of what the obfuscated Google Analytics code looked like from the test (and a normal Google Tag Manager snippet below it):