Security concerns with Google Tag Manager

[dglittle]

Google’s tag manager is loaded on every page, and can entirely control the election

This JS is just loaded on every page and can therefore entirely control the DOM.

[...]

The goal is not to cast aspersions on the vendor, but to point out that the system is fundamentally trusting them in a way that might not be safe in the case of nation-state level adversaries.

Originally posted by @mspecter in https://github.com/siv-org/siv/issues/195

[arianabuilds]

Entry Summary for HACK SIV @ DEF CON 2024

Thanks again for participating! This submission earned $113.38 from SIV and $60.31 from the Public Vote, for a total of $173.69.

Here's what we noted in our evaluation:

What's interesting about this submission

• Yeah, this sucks.
• We've never once even looked at the data. Zero benefit.
• Had specifically written down to remove this before the contest started... and yet here we are.

What takes away from it

• So easy to fix! PR to rip it out so welcome.
• No reason to believe this has ever been exploited.

Issue to track getting paid: https://github.com/siv-org/hack.siv.org/issues/11