GoDaddy Hacks Its Own Customers

By Duane Thresher, Ph.D.          January 11, 2018

A web page is created by program code — usually HTML, JavaScript, and CSS together — that tells a web browser how to display it and what user-interactive action to take, like user information entry. Cross-site scripting (XSS) is a hacking technique in which code is secretly added to a web page's code so that it runs in the web browser of anyone looking at the web page just like the authentic web page code but performing possibly-malicious actions. GoDaddy, a leading web hosting (web page serving) provider, was discovered using XSS on some of its customers.

Scripting in cross-site scripting refers to web page code, typically JavaScript code inside <script> tags of the HTML code of the web page. Cross-site refers to the code secretly added from elsewhere, like another website, running as if it were from the authentic website. This has serious implications because as a primary security measure, browsers will not allow code from one website, possibly malicious, to access the data, possibly sensitive user-supplied information, stored by code from another website, like a banking website. XSS defeats this browser primary security measure and is one of the most commonly used hacking techniques.

Hacking by XSS is why web developers, those who create web pages, should know web page coding and code their own web pages, not use web page creation software like Dreamweaver, which is advertised as a way to create web pages without knowing how to code. Further, it is why the web page code should be reviewed, periodically, where the website is hosted, and not just where the code is uploaded from. This can be done, by anybody for any web page, by viewing the page source (often in the developer menu) in a web browser.

The website where this article is posted, Apscitu.com, is hosted by GoDaddy. I know web page coding and coded all the Apscitu.com pages. Recently, just after the web page code was uploaded, I reviewed the code on the hosted website as described. At the bottom of the code for the Apscitu home page, exactly where a hacker would put it so it would be least likely to be noticed, was code that I knew I had not put there:

<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'=== typeof _trfd && (window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpsh'},{'server':'p3plcpnl0846'}) // Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.</script><script src='https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></script>

Nowhere does it say the code was put there by GoDaddy and what it does say, "Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.", is exactly what a hacker would put there to dissuade you from trying to remove it.

I had to do some research to find out that GoDaddy did actually put that XSS code there. The research did not involve contacting GoDaddy support since I know from frustrating experience that the answer is inevitably: "We don't know anything about this. Sorry for the inconvenience but too bad for you. Would you like to buy more of our products?" It didn't even involve reading GoDaddy Help web pages, which have little useful (understandable and up-to-date) information and are often mostly links to other GoDaddy Help pages. After you've clicked links in circles for a while you give up.

I found only one reference to this GoDaddy XSS code online via searching for the "Monitoring" sentence from it. It was on a non-GoDaddy web page but of a GoDaddy business customer who developed websites for his customers. (To protect him from GoDaddy retaliation I won't identify him.) He was horrified and angry to find this code in his customers' web pages, via security checking software, and spent a lot of time changing customer passwords before he discovered it was GoDaddy's XSS code.

He gave GoDaddy's secret way to opt out of this "monitoring", which was only provided to him by a commenter on his website even though he had talked to GoDaddy support about the issue. To opt out you have to know to click on the three dots next to the cPanel Admin button on your GoDaddy web hosting management page. There is no logical reason for these three dots to be there since the cPanel Admin button itself takes you to the page where you do everything and would be what you would always click. If, just out of curiosity, you do click on the three dots, there is a list of options and one of these is Help Us. If, just out of curiosity, you click on Help Us, you finally get to a brief explanation of the monitoring and an Opt Out button, but right next to a "No, thanks" button that, incongruously and suspiciously, is to CONTINUE the GoDaddy monitoring.

An opt-out that is secret is absurd and unethical. I was reminded of the scene from Douglas Adams's The Hitchhiker's Guide to the Galaxy where the hero awakes to find that his house is about to be bulldozed to make way for a road. He protests that he was never informed about this and finds out that the plans have been "on display" for public comment "in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'" in the unlit stairless cellar of the local government planning office for nine months. If he couldn't be bothered to read the plans then too bad for him.

I read through GoDaddy's web hosting agreement, which includes GoDaddy's 30-page(!) Universal Terms of Service Agreement, and could find nothing explicitly about adding code to monitor performance. I'm sure buried in GoDaddy's agreement, which they know almost nobody ever reads, written in some obscure way, you agree to this though. That may make it legal — although it is not INFORMED consent — but it's still unethical.

In any case, I opted out as described. I was somewhat reassured that the XSS code was indeed from GoDaddy when the code disappeared after I opted out. Still, I regularly check, as described, to make sure this or any other XSS code has not been added.

I'm still not sure what the GoDaddy XSS code is for though. GoDaddy can say anything it wants, true or untrue, so the code may or may not be for "monitoring performance to make your website faster". Further, this XSS code is apparently only injected into web pages of some, not all, GoDaddy web hosting customers. How they decide which customers is unknown.

What is the harm from this XSS code if it is from GoDaddy?

Despite GoDaddy saying it is trying to make your website faster with the added XSS code, the more web page code, the slower the web page loads in a browser. The slower the web page loads, the less likely the user is to actually stay and view the webpage. The XSS code may not look like much but the "https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js" part is a command to load even more JavaScript code from elsewhere. I read that code and it is lengthy.

The "JavaScript code from elsewhere" is from another website, wsimg.com, so it is truly "cross-site" scripting. It took some digging to find it out, but wsimg.com is registered to Wild West Domains, which is one of the GoDaddy family of companies.

Even though the XSS code is from GoDaddy it still may be a security vulnerability. GoDaddy is just like most IT companies these days in that it hires incompetent IT people — see Apscitu's Stop IT Incompetence website — who may not know enough to code securely. They could completely negate the careful secure coding of your website.

Note that this code is similar to that used by Google Analytics but with a critical difference. Google Analytics is how many website owners know how many hits, and from where and when, their web pages are getting, which is very important information for a website owner. Apscitu.com itself uses Google Analytics. I'll be discussing Google Analytics in a later article since it too has issues.

The critical difference between the GoDaddy and Google Analytics code is that the Google Analytics code is knowingly added, with considerable effort, by the web page coder, not secretly by Google. Incidentally, Google instructs coders to add its code at the very beginning of the web page code, not hidden at the end.

Why do I stay with GoDaddy for my web hosting? One reason is that GoDaddy is one of the largest web hosting companies in the world and knowing how they work allows me to help Apscitu's clients.

GoDaddy though, may cancel my web hosting service in retaliation for exposing them in this article. GoDaddy's Universal Terms of Service Agreement says:

"GoDaddy may remove any item of User Content (whether posted to a website hosted by GoDaddy or posted to this Site) and/or terminate a User's access to this Site or the Services found at this Site for posting or publishing any material in violation of this Agreement, or for otherwise violating this Agreement (as determined by GoDaddy in its sole and absolute discretion), at any time and without prior notice."

In short, GoDaddy can cancel your service for any reason at any time. And GoDaddy has a history of doing this. Gordon Lyon (Hi Fyodor!), a network security expert and author of the renowned Nmap, irritated GoDaddy and got kicked off ... 52 seconds after he was notified by voicemail. He then started the anti-GoDaddy website NoDaddy.com, which was popular until GoDaddy bought it out.

Still, I already know how GoDaddy works — it feels like I know all too well — so having my GoDaddy web hosting service forcibly cancelled might be a blessing in disguise. There are other generally better, but smaller, web hosting companies.

I've already sufficiently notified GoDaddy about all of this. It's in an encrypted file on a USB stick that looks like a rock buried in the dirt in a closely-spaced grove of cacti in one of the Saguaro National Parks around Tucson Arizona. If GoDaddy can't be bothered to read it too bad for them.