Slashdot Mirror

← Back to Stories (view on slashdot.org)

GoDaddy is Injecting Site-Breaking JavaScript Into Customer Websites (techrepublic.com)

Posted by msmash on from the closer-look dept.

Web hosting service GoDaddy is injecting JavaScript into customer websites that could impact the overall performance of the website or even render it inoperable, according to Australian programmer Igor Kromin. From a report: GoDaddy's analytics system is based on W3C Navigation Timing, but the company's practice of unilaterally opting in paying customers to an analytics service -- tracking the visitors to websites hosted on GoDaddy services -- without forewarning is deserving of criticism. GoDaddy claims the technology, which it calls "Real User Metrics" (RUM), "[allows] us to identify internal bottlenecks and optimization opportunities by inserting a small snippet of javascript code into customer websites," that will "measure and track the performance of your website, and collects information such as connection time and page load time," adding that the script does not collect user information. The script name "Real User Metrics" is somewhat at odds with that claim; likewise, GoDaddy provides no definition of "user information."

GoDaddy claims "most customers won't experience issues when opted-in to RUM, but the JavaScript used may cause issues including slower site performance, or a broken/inoperable website," particularly for users of Accelerated Mobile Pages (AMP), and websites with pages containing multiple ending tags.

74 comments

  1. Well then... by TimMD909 · · Score: 4, Insightful

    ... might be time to move all my domains to another company.

    1. Re: Well then... by Anonymous Coward · · Score: 0

      Yup

    2. Re:Well then... by Oh+really+now · · Score: 2

      I've already done that, back on one of the other times they pulled some nonsense that was a big middle finger extended towards the customer base.

    3. Re:Well then... by Anonymous Coward · · Score: 1

      I moved all of mine from GoDaddy to here... https://www.secureserver.net/?prog_id=2rosenthals&isc=wwbb1902&utm_source=plocp&utm_medium=email&utm_campaign=en-US_x_email_base_pl&utm_content=180602_1902_x_x_x_x_wwbb1902_5FPCIY2iu4ridD8S08hFBn

      Nathan

    4. Re:Well then... by zekica · · Score: 1

      I would suggest a great alternative I used for 8 years, but they got bought by GoDaddy :(

    5. Re:Well then... by fermion · · Score: 2
      It was time five years ago. Godaddy has value if you need free and your time it worth nothing. I move to namecheap a long time ago, when I forgot to renew my domain name and godaddy held it hostage.

      I pay these people to register my domain names, and I pay s fair amount. I know it is hard to make a profit, but really what do they actually do that costs so much? I don't need someone trying to monetize me when I am already paying them.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    6. Re:Well then... by bobbied · · Score: 4, Informative

      ... might be time to move all my domains to another company.

      My friend who was a GoDaddy customer for over a decade did just that a month ago. Mainly because they kept black holing his domains because of THEIR code change.

      He ran a business, and the website going down was a BAD thing for him. After nearly a decade of running on this hosting service, having not made any changes to his website for over 3 months all of a sudden GoDaddy TOSed him for excessive CPU usage, "No you may not access any of your data thank you". A day on the phone later, they restore him after he pleads with their customer support and appeals to his long record of service. He decides to make a backup of everything now, bad call, he gets TOSed again the next day, this time they won't restore him.

      He got to looking at his backups and notices that what happened was GoDaddy CHANGED their backup processes and modified his system by applying patches. Anytime he ran backups, the CPU usage would spike. So, because he had subscribed to GoDaddy's backup service AND then dared to actually run a backup manually the bug they installed caused them to TOS him.

      He's not on GoDaddy now, after decades of trouble free service. Their loss..

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    7. Re:Well then... by demon+driver · · Score: 1

      So did HostEurope, which used to be a good address, too...

    8. Re:Well then... by Anonymous Coward · · Score: 0

      That's a bitch to type, man.

    9. Re:Well then... by greenwow · · Score: 1

      You might can avoid them, but Comcast's Javascript that broke our web site is pretty much unavoidable.

    10. Re:Well then... by Anonymous Coward · · Score: 0

      If Comcast had prefixed their JavaScript function names, then they wouldn't have caused a problem that we would have found. Adding a function named update() that we already had broke our website.

    11. Re:Well then... by hcs_$reboot · · Score: 1

      To where? register.com?

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    12. Re: Well then... by Anonymous Coward · · Score: 1

      Be careful if you need to update your contact info first... They will bar domain transfers for 6months after a contact update.

    13. Re:Well then... by geoscodin · · Score: 1

      I used NoMonthlyFees.com (as hokey as it sounds) for years until HostingCheck.com bought them several years back, and I still happily use them today.

    14. Re:Well then... by Anonymous Coward · · Score: 0

      Are you serious? Your link contains all unnecessary parameters. You could still go to the same page without all of those &isc=wwbb1902&.... Nowadays, people simply dump a link on a public forum without cleaning it. How sad.

  2. Not Surprising by thechemic · · Score: 4, Insightful

    When you choose to host with a company like GoDaddy, why would expect anything less?

    --
    Let's make like a bird... and get the flock outta here.
    1. Re: Not Surprising by Anonymous Coward · · Score: 2, Funny

      The colloquial is NoDaddy
      Obligatory pun
      Also the company literally has nothing to offer except bad customer service

    2. Re: Not Surprising by Anonymous Coward · · Score: 0

      I expect a shiny aluminum brushed mactop pure bliss. I leave godaddy and Pirate Bay to someone else

    3. Re: Not Surprising by Anonymous Coward · · Score: 0

      Even if you're just using the management features on their website, it's pretty crap for bulk domain stuff. You'll have to do a lot of actions again and again, whereas other hosting providers (*cough*Namecheap*cough*) make it a little easier for bulk management.

    4. Re:Not Surprising by Anonymous Coward · · Score: 0

      Them to inject photos/videos of tits on my website, not site-breaking javascript. One is offensive to the decency of half the species and harmful to children; the other is an anatomical body part that for a long time was important for sustaining the life of babies.

    5. Re:Not Surprising by hcs_$reboot · · Score: 1

      The thing is, many people chose GD a long time ago, then just extend.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
  3. Yet another reason ... by Anonymous Coward · · Score: 5, Insightful

    This is yet another reason why I block javascript in my browser.

    I pretty much hit a page, check the parasites, block any new ones I've not yet blocked ... and then reload and do it again.

    I consider pretty much all third party stuff, especially javsascript, as unwanted parasites ... they exist to track me and sell my data, and they can't do any of that when I block their domains from my browser.

    Your domain registrar has no fucking business knowing who I am.

    And eventually marketing says "hey, if we can do that, why can't we insert our own ads?".

    Of course, in a sane legal environment, modifying someone's copyrighted web page in transit for your own purposes would be illegal. I view it the same as wiretapping.

    1. Re:Yet another reason ... by Anonymous Coward · · Score: 0

      Of course, in a sane legal environment, modifying someone's copyrighted web page in transit for your own purposes would be illegal. I view it the same as wiretapping.

      It is, unless you get an insane judge from US 9th Circuit ( California ). Injecting code into a copywrited web page adds no value to that page and thus should not be considered "fair use".

      The problem is that it will take someone like the EFF or Jeff Bezos to fight it all the way to SCOTUS as all the data collection companies will fight against it until they run out of money.

    2. Re:Yet another reason ... by thechemic · · Score: 4, Insightful

      I agree with the act, though the method you're using (black-listing) seems a bit backward. It would be more secure and a lot less laborious to block all javascript, and then white-list the URLs/Domains that you trust (bank, etc.).

      --
      Let's make like a bird... and get the flock outta here.
    3. Re:Yet another reason ... by Anonymous Coward · · Score: 0

      It would be more secure and a lot less laborious to block all javascript, and then white-list the URLs/Domains that you trust

      Oh, there's some of that as well.

      Cookies are whitelist only so I don't hit a site which sets them before I get to blacklist. Scripts are blocked by default and I have to enable them, but I will also block the entire domain so things like images and CSS and other stuff can't get ran.

      When I first hit a website, it can't run scripts ... but then I completely block its scripts explicitly and any third party crap.

      Depending on the browser, it will be several extensions which are blocking, but javascript is implicitly disabled for any site, and then explicitly disabled for the site and 3rd party domains. One extension blocks scripts until I allow them, another lets me block any form of requests to the domain.

      I'm definitely not hitting sites with scripts enabled and then blocking. But I ruthlessly block *any* form of request from the assholes and parasites.

    4. Re: Yet another reason ... by Anonymous Coward · · Score: 0

      I doubt it is an act. There are entire forums dedicated to godaddy horror stories. The domain is actually blocked permanently on many intranets

    5. Re:Yet another reason ... by Anonymous Coward · · Score: 0

      the old web lost it's way when corporations like microsoft, oracle and google got a hold of it , it's a cespool of tracking, and advertising enabled by unchecked javascript code. it's sad but it must be deprecated like gopher and replaced by a suite of federated protocols

    6. Re:Yet another reason ... by Anonymous Coward · · Score: 0

      This is yet another reason why I block javascript in my browser.

      I pretty much hit a page, check the parasites, block any new ones I've not yet blocked ... and then reload and do it again.

      I consider pretty much all third party stuff, especially javsascript, as unwanted parasites ... they exist to track me and sell my data, and they can't do any of that when I block their domains from my browser.

      Your domain registrar has no fucking business knowing who I am.

      And eventually marketing says "hey, if we can do that, why can't we insert our own ads?".

      Of course, in a sane legal environment, modifying someone's copyrighted web page in transit for your own purposes would be illegal. I view it the same as wiretapping.

      They know who you are and your crude attempts at blocking them, even if you're using a VPN, are about 20 years behind the curve. If you want to block them you need to go completely off the grid.

    7. Re:Yet another reason ... by Anonymous Coward · · Score: 1

      I'd like to inject some javascript code into my banks webpage

      Still think it's a good idea?

    8. Re:Yet another reason ... by Anonymous Coward · · Score: 0

      So you block them after they have run their script?

    9. Re:Yet another reason ... by thegarbz · · Score: 1

      Sure, but I prefer to use the internet and not micromanage it.

  4. GoDaddy is a domain registrar by Anonymous Coward · · Score: 0

    Their hosting is abysmal. Go anywhere else.

  5. Is this even in the EULA? by Anonymous Coward · · Score: 0

    If breaking a customer's website without their consent or notification this is grounds for some action. What a bunch of stupid assholes.

    1. Re:Is this even in the EULA? by Anonymous Coward · · Score: 1

      Not EULA but TOS:

      You hereby grant GoDaddy a worldwide, non-exclusive, royalty-free, sublicensable (through multiple tiers), and transferable license to use, reproduce, distribute, prepare derivative works of, combine with other works, display, and perform your User Content in connection with this Site, the Services and GoDaddy’s (and GoDaddy’s affiliates’) business(es), including without limitation for promoting and redistributing all or part of this Site in any media formats and through any media channels without restrictions of any kind and without payment or other consideration of any kind, or permission or notification, to you or any third party.

      So they can prepare derivative works of your User Content, and they can display your User Content. IANAL so I don't know if they can compose the two and display a derivative work of your User Content.

    2. Re: Is this even in the EULA? by Anonymous Coward · · Score: 0

      I wonder if you are able to deploy your own JS for your GoDaddy sites? Perhaps it wouldnâ(TM)t be too hard to walk the DOM and remove unexpected nodes?

    3. Re:Is this even in the EULA? by Errol+backfiring · · Score: 1

      If a someone wilfully asks an advertising company to do a cross-site scripting attack on his site, he should not complain that it has consequences. Come on, what do you expect?

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  6. I was wondering why my website on GoDaddy was slow by ITRambo · · Score: 3, Informative

    Damn them. No company should inject code into any website that customer actually pay for. If they want to host for free, that's another story. And yeah. My website is a lot slower than it was. I thought it was my ISP, but the speeds are in spec. Transferring a complex website is a real time consuming PITA. I'll do it anyway, if they break my site.

  7. What's in a Name? by Anonymous Coward · · Score: 0

    While I don't agree with the idea. (what if they start injecting code into my scripted pages that are actually outputting JSON instead of HTML?), their "Real User Metrics" name makes sense, and I feel like it can apply even without gathering "user information". I think the part to focus on here is "real user", meaning that they're gathering information on how pages load for "real users", rather than their own internal testing.

    1. Re: What's in a Name? by Anonymous Coward · · Score: 0

      I think they call this bifurcating the user experience.

    2. Re:What's in a Name? by mick232 · · Score: 3, Informative

      The term RUM is a pretty standard term in the application performance monitoring industry. And yes, it refers to the fact that performance data of real users is collected instead of synthetic tests.

    3. Re: What's in a Name? by Anonymous Coward · · Score: 0

      I agree it is standard for many sites except the creepy ones. Unethical web hosting sites gotta play by someone elses rules. I would never buy an explanation of this type from an obviously pill pushing retailer that just wants to get you to hand over stuff with no disclosure on risk or any other facts at all other than well you have to because we are special. Aint special. Aint attractive. Aint using it.

    4. Re:What's in a Name? by Anonymous Coward · · Score: 0

      The question is do they sanitize/anonymize the RUM properly, or are we just "taking their word" as bullshitters with a horrible record that they're not collecting that? I would almost expect them to be lying.

    5. Re:What's in a Name? by mick232 · · Score: 1

      RUM typically collects page URI, page load time, IP address, geo location, user agent, various other metrics of page performance, and others. RUM products I know are not designed to spy on the users but to show page performance including long term historical trends. Thus, the data is usually heavily aggregated as the amount of storage space to keep individual records would grow very quickly and is not what RUM users are interested in.

    6. Re: What's in a Name? by Anonymous Coward · · Score: 0

      Maybe they should use the standard analytic tools. Oh they cant because they dont understand them and they want customers do understand and pay for them. Get lost

    7. Re: What's in a Name? by Anonymous Coward · · Score: 0

      Standard tools are like poetry. Those days are gone. Now we just have truly malicious JavaScript

    8. Re: What's in a Name? by Anonymous Coward · · Score: 0

      Quite a few standard tools are complete crap. So many issues people overlook because "software is hard". The act of coding is 95% thinking and 5% typing. If you find it difficult, either you have physical issues with your hands or mental limitations and may be better off in another job sector.

  8. Re:I was wondering why my website on GoDaddy was s by Anonymous Coward · · Score: 0

    Could this be considered a cross site scripting attack, and is there any legal recourse?

  9. All for it by SuperKendall · · Score: 5, Funny

    At first I was against it, but after reading that it breaks AMP I say - Bravo, sir. Bravo.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  10. Re: I was wondering why my website on GoDaddy was by Anonymous Coward · · Score: 0

    Yes there is if you want to literally pollute your day spending more time with GoDaddy, which I do not.

  11. Fuck godaddy by damn_registrars · · Score: 4, Insightful

    Fuck them sidways, upside down, and backwards. I started managing a website for a local nonprofit a while ago that was setup through godaddy (prior to my helping them) and it's been a disaster. A few weeks ago the website suddenly became only sporadically responsive, and only for certain types of connections. A lot of users (including me from some locations) were getting nothing when trying to connect (no 404, no error, just a blank page with no source).

    I then spent 2 hours in their "support chat" where I was bumped through three different support people. They tried to blame the problem on me and made me jump through a bunch of arbitrary hoops to prove them wrong. Then they said it was due to "website plugins" and left it to me to figure out what plugins needed attention (even though all the plugins run through their fucking servers).

    Then after that, they disconnected me; their chat system leaving me no transcript of the support session.

    This is appalling. We're ready to move our domain and site elsewhere.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  12. New Relic? by Configio · · Score: 2

    I wouldn't be surprised if they were just using New Relic APM for this purpose. If so, they are probably doing this just for the purpose they stated. Perhaps they still should have made it opt-in, but there's a reasonable chance nothing nefarious was intended.

  13. Did this about 10 years ago from godaddy by Anonymous Coward · · Score: 0

    you are 10 years behind the curve. tell me it's not the low uid?

  14. Not surprised at all... by kurkosdr · · Score: 4, Insightful

    GoDaddy acts as if they own their customers' websites and as if their customers are mere "content providers" for the sites GoDaddy "owns". For example, they will register the domain that a customer chose to themselves, and if they think the customer breached their TOS for whatever reason they will take over the domain and fill it with ads. Avoid GoDaddy if you can. And that's a big "if", since GoDaddy aggressively hoards (parks) domains which they never relinquish even if you "register" the domain with them (I put "register" in quotes because you are not really registering any domain to your name).

    1. Re: Not surprised at all... by Anonymous Coward · · Score: 0

      It really is disgusting. All they do is find ways to take money. And they would never budge on anything, just deflect and toss out all the same bullshit talking points they spend all their time and excessive amounts of cash training their people to say all day long.

  15. You should have done it during the SOPA boycott by Anonymous Coward · · Score: 0

    You put up with their abuse for so long, I have no sympathy for people who get cucked by them.

  16. I had used GoDaddy for a while... by QuietLagoon · · Score: 1

    ... but I left them because of the types of business practices I saw.

  17. I can't believe people still use GoDaddy by Anonymous Coward · · Score: 0

    they're like the Monsanto, or Microsoft, or today's Apple, of the Internet and cloud service providers. It's like you WANT to get shafted just to save that $4 per year for your domain or whatever you're buying.

    1. Re:I can't believe people still use GoDaddy by Pascoea · · Score: 1

      It's like you WANT to get shafted just to save that $4 per year for your domain or whatever you're buying.

      Personal experience, they are more expensive for .com addresses. I used them to register the domains (self hosted) but just moved my last one away from them at renewal time. I use porkbun, and so far no issues, and 4-5$ cheaper.

  18. Re:Not Surprising - Ditto by Anonymous Coward · · Score: 0

    I was going to write the same post. Thank goodness I moved to 1and1 (ha!)

  19. First there was Flash by Anonymous Coward · · Score: 0

    First there was Flash, now we have Java Script.

    Until there is serious prison time and criminal bankruptcy for CEO's and other management, personal information will continue to be gathered, sorted, sold with no regard to the consequences.

  20. Shut up, APK by Anonymous Coward · · Score: 0

    Shut up, APK. We know you're the individual responsible for stalking SuperKendall and Ray Morris.

  21. Opt-Out by Anonymous Coward · · Score: 1

    Just verified that the instructions in the article work. My site is now opted out. IT SHOULD NEVER HAVE BEEN OPTED IN !!!

    Looking for a new hosting service.

    Fuck you GoDADDY

  22. Re: amicusNYCL you'd LIKE it to look that way by Anonymous Coward · · Score: 0

    You pretend to be Ray Morris' friend, then accuse him of being a Nazi. You've been stalking SuperKendall for months. Everyone knows you're responsible, no matter how many feeble denials you post. You're also in denial about your heroin addiction, which you projected onto a different AC last night.

  23. I never said raymorris & I are pals... apk by Anonymous Coward · · Score: 0

    See subject: ONLY that I respect he applied himself for the "general good" (start of self-actualization). I don't do heroin https://science.slashdot.org/c... as I told you there also (but I BET you do - "your kind", weezils & WHIMPS have to TRY "drown your sorrows" @ being HUMAN FAILS, lol - pitiful).

    For Pete's sake: I'm a FORMER NCAA 1st string athlete & decently accomplished guy - unlike you - I have ZERO REASONS to escape in HEROIN (like you, obviously, since you're FIXATED on that).

    * You project your OWN FAULTS onto ME & you constantly FAIL (it's all "your kind", the not-men DEFECTIVES (per gweihir which made me LMAO as it's truth he sees about you too) "ne'er-do-well" LAZY do-NOTHINGS like you can do (you're GOOD @ 1 thing though - take heart - you are EXCELLENT @ FAILING, lol)).

    HOWEVER: I'd MUCH RATHER be friends w/ a guy like raymorris than a LOSER like you, lol... weezil that HIDES behind UNIDENTIFIABLE anonymous posts STALKING me as you do.

    APK

    P.S.=> Hahahahahaha (I love it - I couldn't have SAID it better)... apk

  24. Interesting tidbit by Anonymous Coward · · Score: 1

    Post as AC for reasons. None of the employees at GoDaddy host there. When they finally got around to offering employee discounts it wasn't enough to tempt anyone to move off their existing hosts. When the people who run the stuff won't use it then it's a big clue that the product isn't the best.

  25. Use an affordable VPS... by Anonymous Coward · · Score: 0

    ...like OVH or DigitalOcean. Then you have complete control over every aspect of the website, including what web server technology you choose to run, and no one will inject their grimy little fingers into the code on the pages of the website.

  26. amicusNYCL you'd LIKE it to look that way by Anonymous Coward · · Score: 0

    amicusNYCL you'd LIKE it to look that way but I don't bug either of them (especially raymorris whom I respect as he does things of value ala a kernelpatch which is MORE than MOST here have managed) so I'll tell you EXACTLY what I did before here https://science.slashdot.org/c... when you tried to "frame me" like the LOSER you are & I point out how BADLY I made you EAT YOUR WORDS before too, CHUMP: I DIDN'T POST THAT CRAP! In fact, I get YOU did trying to 'frame me' like the PUSSY you are playing BITCH games (which is all a BITCH knows HOW to do).

    * Hahahahaha - too easy!

    ESPECIALLY SEEING YOU HAVE TO EFFETELY TRY "downmod hide" THIS POST last time I posted it here https://tech.slashdot.org/comm... - "I see you" & RIGHT thru you (knowing YOU better than you know YOUR wasted life SELF), lol - your favorite color HAS to be "TRANSPARENT", right? Has to be, lol!

    APK

    P.S.=> amicusNYCL you're SUCH a pussy - go live in your Arizona DESERT punk - nobody wants YOU around & it's WHY you live in the wasteland (because you ARE a WASTE of LIFE, & you not only KNOW it, but your STUPIDITY proves it along w/ being nothing MORE than a CHATTERING twat you are, building nothing of VALUE (but I do w/ proof https://hardware.slashdot.org/... & WEEZILS like you? Don't - all you DO is play BITCH GAMES & try to 'start rumors' like some TWISTED weak HOMO would do, lol!))... apk

  27. They didn't invent RUM by Anonymous Coward · · Score: 0

    GoDaddy didn't invent "RUM" very misleading and WAY overblown. Shows the poster is clueless which makes the whole thing suspicious.

  28. GoDaddy by Anonymous Coward · · Score: 0

    Everytime I hear that name, an image of a pimp, complete with large hat with leopard print band and a big feather always comes to mind. Sometimes the image inclides a couple of his hoes, well beaten into compliance.

    "Who's your daddy? I'm your Daddy, bitch."

  29. Time for a new hashtag? by Anonymous Coward · · Score: 0

    #GoDouchey

  30. I reported them to ICANN by Anonymous Coward · · Score: 0

    I deliberately let a domain lapse. They replaced the anonymized contact information with my personal details and didn't remove the domain.
    I complained to them, nothing back. I complained to ICANN, got a response back within a couple of hours.
    My name disappeared and GD rudely told me I had registered an invalid complaint and closed the ticket.