views:

324

answers:

2

We want to embed an ajax style service into a number of our websites each with a unique api key. The problem that I can see is that because the api key is stored in the javascript file the user could potentially take the key, spoof the http referrer, and make millions of requests to the api under that api key.

So I am wondering how Google prevents Analytics spoofing? As this uses almost the same idea.

I'm also open to other ideas, essentially here is the process.

SiteA -> User <-> Ajax <-> SiteB

EDIT - is there any way to protect the API from being abused while having it called via ajax?

+1  A: 

At a guess, I'd say the key is one half of a public-private key pair that (somehow) includes the URL as a hash. This way, the key will only work, and the hits only registered, if the request is for the URL for which the key was generated. You can't spoof the request, because if you do it goes to the wrong URL and nothing happens.

Dave Swersky
I.e. referrer checking. This does not defend against referrer spoofing (which I'm guessing "spoof the http reference" in the question means). http://en.wikipedia.org/wiki/Referrer_spoofing
bzlm
@bzlm - yes that is what I meant. I will edit to clear that up.
I don't think you are describing a real secuirty system.
Rook
OK yes referrer spoofing is something else and from the conversation here there's no good way to combat it.
Dave Swersky
+3  A: 

I don't believe there are any such protection measures in place. Spoofing of traffic is a serious problem for other Google services, such as Adwords. For instance a malicious individual who is bidding on adwords can generate many fake clicks for their competitor's ads to drive up their advertising costs and thus Google's stock price. The inverse is also true, people will generate fake clicks on their site to get extra money from a PayPer Click ad on their site.

At the end of the day a hacker can amass a list of 10,000+ anonymous proxy servers without too much difficulty and there isn't much you can do about it. A hacker could also use a botnet, some of which are millions in size. Traffic generated from a botnet can appear to be legitimate machines with a legit Google Cookie, because they where hijacked.

Many proxies and bonet'ed machines are enumerated by Realtime Black Lists (RBL) such as the one run by http://www.spamhaus.org , and many legitimate ip addresses are also on that list. There are also proxies that can't be used for spam but could be used for click fraud and thus they won't be on that list.

Rook
So essentially what you saying is that there is no real way to prevent spoofing as I had described?
If the attacker has a bunch of proxies or hacked machines, then no there is no way to prevent this type of spoofing.
Rook
Hacked machines or proxies aren't even necessary. If I use your API key and spoof your referral header, I can use the AJAX style service the question describes. Unless other measures are in place...
bzlm
@bzlm it would be trivial to check the ip address and limit the number of requests.
Rook
@The Rook I agree. But that won't protect against the problem posed in the question. Not sure what will, though.
bzlm