Slashdot Mirror

← Back to Stories (view on slashdot.org)

GoDaddy is Injecting Site-Breaking JavaScript Into Customer Websites (techrepublic.com)

Posted by msmash on from the closer-look dept.

Web hosting service GoDaddy is injecting JavaScript into customer websites that could impact the overall performance of the website or even render it inoperable, according to Australian programmer Igor Kromin. From a report: GoDaddy's analytics system is based on W3C Navigation Timing, but the company's practice of unilaterally opting in paying customers to an analytics service -- tracking the visitors to websites hosted on GoDaddy services -- without forewarning is deserving of criticism. GoDaddy claims the technology, which it calls "Real User Metrics" (RUM), "[allows] us to identify internal bottlenecks and optimization opportunities by inserting a small snippet of javascript code into customer websites," that will "measure and track the performance of your website, and collects information such as connection time and page load time," adding that the script does not collect user information. The script name "Real User Metrics" is somewhat at odds with that claim; likewise, GoDaddy provides no definition of "user information."

GoDaddy claims "most customers won't experience issues when opted-in to RUM, but the JavaScript used may cause issues including slower site performance, or a broken/inoperable website," particularly for users of Accelerated Mobile Pages (AMP), and websites with pages containing multiple ending tags.

31 of 74 comments (clear)

  1. Well then... by TimMD909 · · Score: 4, Insightful

    ... might be time to move all my domains to another company.

    1. Re:Well then... by Oh+really+now · · Score: 2

      I've already done that, back on one of the other times they pulled some nonsense that was a big middle finger extended towards the customer base.

    2. Re:Well then... by Anonymous Coward · · Score: 1

      I moved all of mine from GoDaddy to here... https://www.secureserver.net/?prog_id=2rosenthals&isc=wwbb1902&utm_source=plocp&utm_medium=email&utm_campaign=en-US_x_email_base_pl&utm_content=180602_1902_x_x_x_x_wwbb1902_5FPCIY2iu4ridD8S08hFBn

      Nathan

    3. Re:Well then... by zekica · · Score: 1

      I would suggest a great alternative I used for 8 years, but they got bought by GoDaddy :(

    4. Re:Well then... by fermion · · Score: 2
      It was time five years ago. Godaddy has value if you need free and your time it worth nothing. I move to namecheap a long time ago, when I forgot to renew my domain name and godaddy held it hostage.

      I pay these people to register my domain names, and I pay s fair amount. I know it is hard to make a profit, but really what do they actually do that costs so much? I don't need someone trying to monetize me when I am already paying them.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    5. Re:Well then... by bobbied · · Score: 4, Informative

      ... might be time to move all my domains to another company.

      My friend who was a GoDaddy customer for over a decade did just that a month ago. Mainly because they kept black holing his domains because of THEIR code change.

      He ran a business, and the website going down was a BAD thing for him. After nearly a decade of running on this hosting service, having not made any changes to his website for over 3 months all of a sudden GoDaddy TOSed him for excessive CPU usage, "No you may not access any of your data thank you". A day on the phone later, they restore him after he pleads with their customer support and appeals to his long record of service. He decides to make a backup of everything now, bad call, he gets TOSed again the next day, this time they won't restore him.

      He got to looking at his backups and notices that what happened was GoDaddy CHANGED their backup processes and modified his system by applying patches. Anytime he ran backups, the CPU usage would spike. So, because he had subscribed to GoDaddy's backup service AND then dared to actually run a backup manually the bug they installed caused them to TOS him.

      He's not on GoDaddy now, after decades of trouble free service. Their loss..

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    6. Re:Well then... by demon+driver · · Score: 1

      So did HostEurope, which used to be a good address, too...

    7. Re:Well then... by greenwow · · Score: 1

      You might can avoid them, but Comcast's Javascript that broke our web site is pretty much unavoidable.

    8. Re:Well then... by hcs_$reboot · · Score: 1

      To where? register.com?

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    9. Re: Well then... by Anonymous Coward · · Score: 1

      Be careful if you need to update your contact info first... They will bar domain transfers for 6months after a contact update.

    10. Re:Well then... by geoscodin · · Score: 1

      I used NoMonthlyFees.com (as hokey as it sounds) for years until HostingCheck.com bought them several years back, and I still happily use them today.

  2. Not Surprising by thechemic · · Score: 4, Insightful

    When you choose to host with a company like GoDaddy, why would expect anything less?

    --
    Let's make like a bird... and get the flock outta here.
    1. Re: Not Surprising by Anonymous Coward · · Score: 2, Funny

      The colloquial is NoDaddy
      Obligatory pun
      Also the company literally has nothing to offer except bad customer service

    2. Re:Not Surprising by hcs_$reboot · · Score: 1

      The thing is, many people chose GD a long time ago, then just extend.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
  3. Yet another reason ... by Anonymous Coward · · Score: 5, Insightful

    This is yet another reason why I block javascript in my browser.

    I pretty much hit a page, check the parasites, block any new ones I've not yet blocked ... and then reload and do it again.

    I consider pretty much all third party stuff, especially javsascript, as unwanted parasites ... they exist to track me and sell my data, and they can't do any of that when I block their domains from my browser.

    Your domain registrar has no fucking business knowing who I am.

    And eventually marketing says "hey, if we can do that, why can't we insert our own ads?".

    Of course, in a sane legal environment, modifying someone's copyrighted web page in transit for your own purposes would be illegal. I view it the same as wiretapping.

    1. Re:Yet another reason ... by thechemic · · Score: 4, Insightful

      I agree with the act, though the method you're using (black-listing) seems a bit backward. It would be more secure and a lot less laborious to block all javascript, and then white-list the URLs/Domains that you trust (bank, etc.).

      --
      Let's make like a bird... and get the flock outta here.
    2. Re:Yet another reason ... by Anonymous Coward · · Score: 1

      I'd like to inject some javascript code into my banks webpage

      Still think it's a good idea?

    3. Re:Yet another reason ... by thegarbz · · Score: 1

      Sure, but I prefer to use the internet and not micromanage it.

  4. I was wondering why my website on GoDaddy was slow by ITRambo · · Score: 3, Informative

    Damn them. No company should inject code into any website that customer actually pay for. If they want to host for free, that's another story. And yeah. My website is a lot slower than it was. I thought it was my ISP, but the speeds are in spec. Transferring a complex website is a real time consuming PITA. I'll do it anyway, if they break my site.

  5. Re:What's in a Name? by mick232 · · Score: 3, Informative

    The term RUM is a pretty standard term in the application performance monitoring industry. And yes, it refers to the fact that performance data of real users is collected instead of synthetic tests.

  6. All for it by SuperKendall · · Score: 5, Funny

    At first I was against it, but after reading that it breaks AMP I say - Bravo, sir. Bravo.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  7. Fuck godaddy by damn_registrars · · Score: 4, Insightful

    Fuck them sidways, upside down, and backwards. I started managing a website for a local nonprofit a while ago that was setup through godaddy (prior to my helping them) and it's been a disaster. A few weeks ago the website suddenly became only sporadically responsive, and only for certain types of connections. A lot of users (including me from some locations) were getting nothing when trying to connect (no 404, no error, just a blank page with no source).

    I then spent 2 hours in their "support chat" where I was bumped through three different support people. They tried to blame the problem on me and made me jump through a bunch of arbitrary hoops to prove them wrong. Then they said it was due to "website plugins" and left it to me to figure out what plugins needed attention (even though all the plugins run through their fucking servers).

    Then after that, they disconnected me; their chat system leaving me no transcript of the support session.

    This is appalling. We're ready to move our domain and site elsewhere.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  8. New Relic? by Configio · · Score: 2

    I wouldn't be surprised if they were just using New Relic APM for this purpose. If so, they are probably doing this just for the purpose they stated. Perhaps they still should have made it opt-in, but there's a reasonable chance nothing nefarious was intended.

  9. Not surprised at all... by kurkosdr · · Score: 4, Insightful

    GoDaddy acts as if they own their customers' websites and as if their customers are mere "content providers" for the sites GoDaddy "owns". For example, they will register the domain that a customer chose to themselves, and if they think the customer breached their TOS for whatever reason they will take over the domain and fill it with ads. Avoid GoDaddy if you can. And that's a big "if", since GoDaddy aggressively hoards (parks) domains which they never relinquish even if you "register" the domain with them (I put "register" in quotes because you are not really registering any domain to your name).

  10. Re:Is this even in the EULA? by Anonymous Coward · · Score: 1

    Not EULA but TOS:

    You hereby grant GoDaddy a worldwide, non-exclusive, royalty-free, sublicensable (through multiple tiers), and transferable license to use, reproduce, distribute, prepare derivative works of, combine with other works, display, and perform your User Content in connection with this Site, the Services and GoDaddy’s (and GoDaddy’s affiliates’) business(es), including without limitation for promoting and redistributing all or part of this Site in any media formats and through any media channels without restrictions of any kind and without payment or other consideration of any kind, or permission or notification, to you or any third party.

    So they can prepare derivative works of your User Content, and they can display your User Content. IANAL so I don't know if they can compose the two and display a derivative work of your User Content.

  11. Re:What's in a Name? by mick232 · · Score: 1

    RUM typically collects page URI, page load time, IP address, geo location, user agent, various other metrics of page performance, and others. RUM products I know are not designed to spy on the users but to show page performance including long term historical trends. Thus, the data is usually heavily aggregated as the amount of storage space to keep individual records would grow very quickly and is not what RUM users are interested in.

  12. I had used GoDaddy for a while... by QuietLagoon · · Score: 1

    ... but I left them because of the types of business practices I saw.

  13. Opt-Out by Anonymous Coward · · Score: 1

    Just verified that the instructions in the article work. My site is now opted out. IT SHOULD NEVER HAVE BEEN OPTED IN !!!

    Looking for a new hosting service.

    Fuck you GoDADDY

  14. Re:I can't believe people still use GoDaddy by Pascoea · · Score: 1

    It's like you WANT to get shafted just to save that $4 per year for your domain or whatever you're buying.

    Personal experience, they are more expensive for .com addresses. I used them to register the domains (self hosted) but just moved my last one away from them at renewal time. I use porkbun, and so far no issues, and 4-5$ cheaper.

  15. Interesting tidbit by Anonymous Coward · · Score: 1

    Post as AC for reasons. None of the employees at GoDaddy host there. When they finally got around to offering employee discounts it wasn't enough to tempt anyone to move off their existing hosts. When the people who run the stuff won't use it then it's a big clue that the product isn't the best.

  16. Re:Is this even in the EULA? by Errol+backfiring · · Score: 1

    If a someone wilfully asks an advertising company to do a cross-site scripting attack on his site, he should not complain that it has consequences. Come on, what do you expect?

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!