Bypassing ad blockers for Google Analytics

This website has been built as simply as possible to demostrate this problem, check it out:

Join the conversation on Hacker News.

Is scarily easy to bypass ad blockers to serve Google Analytics and Google Tag Manager.

This content should be overridden by GTM.

But how?

Ingenuity, reverse proxy, string manipulation.

Ingenuity in thinking that I can bypass uBlock (❤️).

Reverse proxy to hide the real source of the javascript. Here is provided for free by Netlify (❤️) and configured in the netlify.toml file of the repository.

String manipulation to change the endpoint of Google Analytics inside their own JavaScript to proxy it as above.

Setup a reverse proxy

A reverse what? 🤔

A reverse proxy acts as an intermidiary between you and the source. Refer to Wikipedia.

Why a reverse proxy?

A reverse proxy is needed to mask the real source of the JavaScript files. I use Netlify which works great, but you can use anything that gets the job done: IIS rewrites, a custom controller in your backend, whatever.

Configure Netlify redirects as reverse proxy

Refer to Netlify redirects docs.

It's as easy as adding this file to redirect everything 1:1 (some specific ad blockers lists filer out anything with "r/collect?" in the path so that may need rewriting too).

Use reverse proxy for Google Tag Manager

This is a matter of simply prefixing the URL of GTM with your reverse proxy. This is enough for ad blockers to not know that this is GTM.

The same applies to the noscript version of it: just add the proxy in front of the original URL

Use reverse proxy for Google Analytics and rewrite its content to make it use the reverse proxy

This is slightly more involved. Not only we are using the reverse proxy, but we also need to change the content of it to make it use our reverse proxy itself

We fetch the script, rewrite some urls inside to add the reverse proxy, then we add the script to the page.

Noscript versions of the Analytics scripts don't seem to be common nowadays but can receive the same treatment too

But then you'll get data from the reverse proxy rather than the user!

This was a point raised on Hacker News a few times, but not totally true.

Having had enough data now, thanks to HN referral, I can confirm that the only data that I'm not getting is the location and provider.

The location section is blank, but I can see traffic coming from Germany and USA in the real time section. These are probably just Netlify CDNs, and I'm unsure on why they wouldn't show up on the location section. Maybe the detected IPs are too few for Google Analytics to feel confident in showing that data.

I can confirm that I get: mobile/tablet/desktop, browser, OS, mobile device, language, referral, screen size, and new/returning visitors.

Tested with

Does it work with ads too?

I hope not. Ads are often blocked using cosmetic filters, meaning they are identified by their HTML markup.

So, how do we do fight back?

I don't know if we can! 😱 You can blacklist my particular URLs too...but I can change them in 1 minute. You could fingerprint the JavaScript file, I could add a random semi-colon and mess with that. I don't know how to come back from this approach!

The only thing that I can think of right now is to use NoScript or alternatives that fundamentally whitelist scripts, while not triggering the noscript tags.

EDIT: As pointed out on Hacker News Kiwi Browser for Android blocks this technique out of the box!

Author Stefano Chiodino @chiodinostefano stefano.chiodino.uk

Does it work for you in an environment that I haven't tested yet? Is it not? Let me know below!