22

This may be a silly question but is client side application insights safe from spoofing? Microsoft ask you to add a bit of JavaScript to your HTML page that needs recording and part of this contains a hard coded instrumentation key (not a real key below!):

instrumentationKey: "3D486E8C-BDEF-43AB-B27A-9D3F9D42EC14"

There doesn't seem to be any other relationship between Url and key or any mechanism to prevent spoofing of this key client side (i.e. randomly generating the key with different numbers and submitting the page).

This wouldn't cause any damage, but it would be annoying to the receiver of the incorrect monitoring data, which may well be all someone wants to do "because they can".

Have I missed something fundamental as to why this is not possible?

GrahamB
  • 1,368
  • 15
  • 35

3 Answers3

11

This is absolutely correct that anyone can log misleading or garbage data to anyone’s AI account if they know the instrumentation key. This is also correct for most web other analytics systems: the request to log information is sent unauthenticated and anyone with sufficient skill can emulate a valid user data. The fact that AI has instrumentation key embedded on the page does not make it easier because anyone using web traffic monitor tool like Fiddler can still intercept and emulate the requests, even if instrumentation key was not embedded on the page. If you suspect that a malicious user will purposefully log misleading data using your AI key, you should use caution and validate if the data makes sense before making your business decisions, for example from how many users was the data obtained and over what period of time, and whether your client-side page view data matches the server-side requests data.

QuantumHive
  • 5,613
  • 4
  • 33
  • 55
Alex Bulankou
  • 2,396
  • 19
  • 21
2

While not exactly a duplicate, i believe the answer is pretty much the same as this one:

How does Google Analytics prevent traffic spoofing

AI doesn't know how or where you're using your key, so how would they know which traffic is legitimate and which is not?

Community
  • 1
  • 1
John Gardner
  • 24,225
  • 5
  • 58
  • 76
  • Ok, thanks - from the discussion on the Google thread, the feedback seems to be "you can't stop this"... – GrahamB Jan 09 '15 at 09:50
2

+1 to Alex's answer. FYI, this is the official answer from Azure Monitor: My Instrumentation Key is visible in my web page source

TL;DR:

  1. Yes, data can be skewed but not stolen
  2. It is a common practice
  3. To mitigate the impact, you could set up two separate app insights resources: one for client, the other for server
  4. To overcome the issue, you set up a custom API and forward telemetry data to app insights.
HUIJING HUANG
  • 273
  • 1
  • 3
  • 8