Mtc.js can be substituted in case of server hacking?

General Discussion
1

One of my clients is worried that the js script http(s)://example.com/mtc.js can be substituted with another one that will steal their users’ data, or do something else naughty. They consider an external js script to be a security hole.
They suggest tracking via gif pixel.

Can you tell me how to convince me to use a standard tracking tool? What arguments? After all, mtc.js can really be substituted in case of server hacking, and no one will know about it.

Or still agree to pixel tracking? - What difficulties might arise in the future?
PS I read the documentation :wink:

2

For convincing your client to use a standard tracking tool over an external JS script like mtc.js, you can use these arguments:

Security: Standard tracking tools often come from reputable providers who prioritize security. They employ measures to protect against data theft or malicious code injection, which reduces the risk compared to using external scripts that might be vulnerable to hacking.

Reliability: Standard tracking tools are usually well-maintained and regularly updated to ensure compatibility and reliability. This can provide peace of mind that the tracking will continue to function as expected.

4

I’m just trying to convince a client to install standard mtc.js, but they only agree to install a Gif pixel…

5

ok…using Mtc.js as a substitute in case of hacking can be a smart move. It’s like having a backup plan for your backup plan! Mtc.js adds an extra layer of protection, making it harder for hackers to breach your server. If you’re looking for more tips on server security, I found this walkthrough on GuidedHacking super helpful: https://guidedhacking.com/threads/tryhackme-internal-walkthrough.17654/ . It’s got some great insights and strategies to keep your server safe and sound. Remember, it’s always better to be safe than sorry when it comes to online security!

7

Hi

Use Subresource Integrity (SRI) to ensure that the browser only executes the script if it matches a known cryptographic hash.

This prevents that anybody could change the contents of the javascript after inserting it into the clients website.

Example:

<script src="https://m.dev.testserver.online/mtc.js" integrity="sha512-Gwk0j60G5DyQp+TCWjVPo+XTYB12jDABIndHgnM7nmTa+zSn57/cT8LNGa5W74Np9rvIEwVp+7OMu0KkYEYUfw==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>

Generator:

Greetings
Sebastian

1 Like
8

You can change the existing JS Loader Code like this:

<script>
    (function(w,d,t,u,n,a,m){
        w['MauticTrackingObject']=n;
        w[n]=w[n]||function(){(w[n].q=w[n].q||[]).push(arguments)};
        a=d.createElement(t);
        m=d.getElementsByTagName(t)[0];
        a.async=1;
        a.src=u;
        a.integrity="sha384-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
        a.crossOrigin="anonymous";
        m.parentNode.insertBefore(a,m);
    })(window,document,'script','https://m.dev.testserver.online/mtc.js','mt');

    mt('send', 'pageview');
</script>

Replace the xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx with the calculated hash