GoDaddy Hacks Its Own Customers
By
Duane Thresher, Ph.D. January 11, 2018
A web page is created by program code — usually HTML,
JavaScript, and CSS together — that tells a web browser
how to display it and what user-interactive action to take,
like user information entry. Cross-site scripting (XSS) is a
hacking technique in which code is secretly added to a web
page's code so that it runs in the web browser of anyone
looking at the web page just like the authentic web page code
but performing possibly-malicious actions. GoDaddy, a leading
web hosting (web page serving) provider, was discovered using
XSS on some of its customers.
Scripting in cross-site scripting refers to web page code,
typically JavaScript code inside <script> tags of the
HTML code of the web page. Cross-site refers to the code
secretly added from elsewhere, like another website, running
as if it were from the authentic website. This has serious
implications because as a primary security measure, browsers
will not allow code from one website, possibly malicious, to
access the data, possibly sensitive user-supplied information,
stored by code from another website, like a banking website.
XSS defeats this browser primary security measure and is one
of the most commonly used hacking techniques.
Hacking by XSS is why web developers, those who create web
pages, should know web page coding and code their own web
pages, not use web page creation software like Dreamweaver,
which is advertised as a way to create web pages without
knowing how to code. Further, it is why the web page code
should be reviewed, periodically, where the website is hosted,
and not just where the code is uploaded from. This can be
done, by anybody for any web page, by viewing the page source
(often in the developer menu) in a web browser.
The website where this article is posted, Apscitu.com, is
hosted by GoDaddy. I know web page coding and coded all the
Apscitu.com pages. Recently, just after the web page code was
uploaded, I reviewed the code on the hosted website as
described. At the bottom of the code for the Apscitu home
page, exactly where a hacker would put it so it would be least
likely to be noticed, was code that I knew I had not put
there:
<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'=== typeof _trfd && (window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpsh'},{'server':'p3plcpnl0846'}) // Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.</script><script src='https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></script>
Nowhere does it say the code was put there by GoDaddy and what
it does say, "Monitoring performance to make your website
faster. If you want to opt-out, please contact web hosting
support.", is exactly what a hacker would put there to
dissuade you from trying to remove it.
I had to do some research to find out that GoDaddy did
actually put that XSS code there. The research did not
involve contacting GoDaddy support since I know from
frustrating experience that the answer is inevitably: "We
don't know anything about this. Sorry for the inconvenience
but too bad for you. Would you like to buy more of our
products?" It didn't even involve reading GoDaddy Help web
pages, which have little useful (understandable and
up-to-date) information and are often mostly links to other
GoDaddy Help pages. After you've clicked links in circles for
a while you give up.
I found only one reference to this GoDaddy XSS code online via
searching for the "Monitoring" sentence from it. It was on a
non-GoDaddy web page but of a GoDaddy business customer who
developed websites for his customers. (To protect him from
GoDaddy retaliation I won't identify him.) He was horrified
and angry to find this code in his customers' web pages, via
security checking software, and spent a lot of time changing
customer passwords before he discovered it was GoDaddy's XSS
code.
He gave GoDaddy's secret way to opt out of this "monitoring",
which was only provided to him by a commenter on his website
even though he had talked to GoDaddy support about the issue.
To opt out you have to know to click on the three dots next to
the cPanel Admin button on your GoDaddy web hosting management
page. There is no logical reason for these three dots to be
there since the cPanel Admin button itself takes you to the
page where you do everything and would be what you would
always click. If, just out of curiosity, you do click on the
three dots, there is a list of options and one of these is
Help Us. If, just out of curiosity, you click on Help Us, you
finally get to a brief explanation of the monitoring and an
Opt Out button, but right next to a "No, thanks" button that,
incongruously and suspiciously, is to CONTINUE the GoDaddy
monitoring.
An opt-out that is secret is absurd and unethical. I was
reminded of the scene from Douglas Adams's The Hitchhiker's
Guide to the Galaxy where the hero awakes to find that his
house is about to be bulldozed to make way for a road. He
protests that he was never informed about this and finds out
that the plans have been "on display" for public comment "in
the bottom of a locked filing cabinet stuck in a disused
lavatory with a sign on the door saying 'Beware of the
Leopard'" in the unlit stairless cellar of the local
government planning office for nine months. If he couldn't be
bothered to read the plans then too bad for him.
I read through GoDaddy's web hosting agreement, which includes
GoDaddy's 30-page(!) Universal Terms of Service Agreement, and
could find nothing explicitly about adding code to monitor
performance. I'm sure buried in GoDaddy's agreement, which
they know almost nobody ever reads, written in some obscure
way, you agree to this though. That may make it legal —
although it is not INFORMED consent — but it's still
unethical.
In any case, I opted out as described. I was somewhat
reassured that the XSS code was indeed from GoDaddy when the
code disappeared after I opted out. Still, I regularly check,
as described, to make sure this or any other XSS code has not
been added.
I'm still not sure what the GoDaddy XSS code is for though.
GoDaddy can say anything it wants, true or untrue, so the code
may or may not be for "monitoring performance to make your
website faster". Further, this XSS code is apparently only
injected into web pages of some, not all, GoDaddy web hosting
customers. How they decide which customers is
unknown.
What is the harm from this XSS code if it is from
GoDaddy?
Despite GoDaddy saying it is trying to make your website
faster with the added XSS code, the more web page code, the
slower the web page loads in a browser. The slower the web
page loads, the less likely the user is to actually stay and
view the webpage. The XSS code may not look like much but the
"https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js" part
is a command to load even more JavaScript code from elsewhere.
I read that code and it is lengthy.
The "JavaScript code from elsewhere" is from another website,
wsimg.com, so it is truly "cross-site" scripting. It took
some digging to find it out, but wsimg.com is registered to
Wild West Domains, which is one of the GoDaddy family of
companies.
Even though the XSS code is from GoDaddy it still may be a
security vulnerability. GoDaddy is just like most IT
companies these days in that it hires incompetent IT people
— see Apscitu's
Stop IT Incompetence
website — who may not know enough to code securely.
They could completely negate the careful secure coding of your
website.
Note that this code is similar to that used by Google
Analytics but with a critical difference. Google Analytics is
how many website owners know how many hits, and from where and
when, their web pages are getting, which is very important
information for a website owner. Apscitu.com itself uses
Google Analytics. I'll be discussing Google Analytics in a
later article since it too has issues.
The critical difference between the GoDaddy and Google
Analytics code is that the Google Analytics code is knowingly
added, with considerable effort, by the web page coder, not
secretly by Google. Incidentally, Google instructs coders to
add its code at the very beginning of the web page code, not
hidden at the end.
Why do I stay with GoDaddy for my web hosting? One reason is
that GoDaddy is one of the largest web hosting companies in
the world and knowing how they work allows me to help
Apscitu's clients.
GoDaddy though, may cancel my web hosting service in
retaliation for exposing them in this article. GoDaddy's
Universal Terms of Service Agreement says:
"GoDaddy may remove any item of User Content (whether posted
to a website hosted by GoDaddy or posted to this Site) and/or
terminate a User's access to this Site or the Services found
at this Site for posting or publishing any material in
violation of this Agreement, or for otherwise violating this
Agreement (as determined by GoDaddy in its sole and absolute
discretion), at any time and without prior
notice."
In short, GoDaddy can cancel your service for any reason at
any time. And GoDaddy has a history of doing this. Gordon
Lyon (Hi Fyodor!), a network security expert and author of the
renowned Nmap, irritated GoDaddy and got kicked off ... 52
seconds after he was notified by voicemail. He then started
the anti-GoDaddy website NoDaddy.com, which was popular until
GoDaddy bought it out.
Still, I already know how GoDaddy works — it feels like
I know all too well — so having my GoDaddy web hosting
service forcibly cancelled might be a blessing in disguise.
There are other generally better, but smaller, web hosting
companies.
I've already sufficiently notified GoDaddy about all of this.
It's in an encrypted file on a USB stick that looks like a
rock buried in the dirt in a closely-spaced grove of cacti in
one of the Saguaro National Parks around Tucson Arizona. If
GoDaddy can't be bothered to read it too bad for
them.