View publication
| Title | Google Tag Manager and Its Privacy Issues |
| Authors | Javiera Alegría, Ivana Bachmann, Javier Bustos-Jiménez |
| Publication date | 2025 |
| Abstract | Google Tag Manager (GTM) is a tag manager that allows third-party scripts to be inserted, modified, or deleted on a website from a graphical interface, without having to modify the source code. These tags collect data such as visits, clicks, form submissions, traffic sources, user behavior, and purchase actions. While Google establishes control mechanisms to maintain good practices and comply with the respective legislation, the fact that GTM operates at a more abstract level means that if privacy breaches arise, such as personal data leaks, web publishers would have a hard time detecting them. \n\n This paper analyzes the behavior of official GTM tags in a sandbox environment and GTM's behavior in the wild, looking at the million most popular websites and the tags available to web publishers in the Community Template Gallery. The results reveal flaws in the tool's permission system, particularly related to the use of the Inject Scripts permission, affecting 62.4% of the web container tags available in the Community Template Gallery and 51.22% of the websites using GTM. This affected 40,185 websites using GTM. The vulnerability also revealed the use of 236,838 "Custom HTML Template" tags accessing third-party scripts, thus violating the permission system. This situation was observed on 50,526 websites. \n\n Overall, the risk was found to extend to 57,096 websites, representing 72.64% of the sites using the tool. |
| Pages | 173-189 |
| Conference name | European Symposium on Research in Computer Security |
| Publisher | Springer Nature Switzerland AG (Cham, Switzerland) |
| Reference URL |
|