Is google analytics event tracking javascript secure
Google analytics offers functionality to track specific events happening on your site using javascript calls like this :
ga('send', 'event', 'button', 'click', 'nav buttons', 4);
This is documented here : https://developers.google.com/analytics/devguides/collection/analyticsjs/events
I am wondering if this is secure?
Couldn't a user just open the javascript console in the chrome web tools and make random calls to ga passing in random parameters and mess up our sites analytics!?
Or a more frustrating user could even add a little javascript loop and run the placement of infinite calls to ga event tracking?
It seems ludicrous if this is the case! This kind of thing needs to be server side in my opinion. I am just confused that google would offer this client side option without considering accuracy and security! Have I missed something!?
As the commenters have mentioned, you really shouldn't be using Google Analytics to verify anything and always treat the data with a pinch of salt.
However your assumption is correct and this is a problem right now. I've not experienced a targeted attack but there is no reason this couldn't happen. To see this in action in your account you'll likely find a number of spam referrals.
Acquisition > All Traffic > Referrals
The reason this is now more widespread than it has ever been is due to the Google Analytics Measurement Protocol where spammers can actually cause problems with your Google Analytics data without even visiting your website (the spam is done sequentially with Analytics ID's!).
The fix? Unfortunately there isn't one if someone has targeted your website specifically, as currently there is currently no way of differentiating the hits (or only accepting authenticated server side hits). For referral traffic you can try an include filter on "hostname" (as this spam typically won't know/provide a domain for the hit) or chase the referrals with a never ending exclusion list.