GoDaddy removes JavaScript injection which tracks website performance, but might break it too

RUM was opt-in by default but GoDaddy has now promised to turn off the feature -- at least, for now.
Written by Charlie Osborne, Contributing Writer

GoDaddy is injecting JavaScript into customer websites for the purposes of tracking which may slow down websites or break them entirely.  

According to programmer Igor Kromin, issues with his own website's admin interface, hosted by the popular web hosting service, prompted him to examine the code to detect any problems.

Upon investigation, Kromin uncovered the failed loading effort of a JavaScript file, which implied an unknown JavaScript file had been loaded on his website. (Ironically, the issue at fault originally was a Safari bug rather than anything to do with GoDaddy.)

While there was little evidence of this file in source code or templates, all of his website's pages were being served with JavaScript.

The file in question is from GoDaddy's Real User Metrics (RUM) system, which the company describes as a means to "identify internal bottlenecks and optimization opportunities by inserting a small snippet of javascript code into customer websites."

See also: NASA internal app leaked employee emails, project names

"The snippet of JavaScript code allows us to measure and track the performance of your website, and collects information such as connection time and page load time," GoDaddy added. "We don't collect any user information with RUM. The data we collect allows us to improve our systems, optimize DNS resolution, improve network routing and server configurations."

Customers in the United States and those using cPanel Shared Hosting or cPanel Business were automatically opted-in to the service.

The collection of metrics and performance data is a common practice for many, and some webmasters will bolt-on their own collection systems in backend systems for increased visibility into how their website is performing.

CNET: Huawei sacks employee arrested for allegedly spying for China

However, GoDaddy publicly admitted that the JavaScript code may impact website performance and so users should be aware of what might be causing slowdowns or outright breakages.

"The JavaScript used may cause issues including slower site performance, or a broken/inoperable website," GoDaddy says. 

The system at hand is based on W3C Navigation Timing and while not a security issue, if website breakage is a possibility, a default opt-in was not necessarily fair or reasonable.

Most customers are not expected to be impacted by RUM, but websites involved in Google's AMP (Accelerated Mobile Pages Project) or with pages ending with multiple ending tags might be more susceptible to breaks or slow performance issues.

TechRepublic: WordPress users beware: These 10 plugins are most vulnerable to attacks

Kromin commented:

"I am not against web host providers monitoring how their servers are running. Using technology like RUM is a great way to do it, but this is meant to be a passive technology that is invisible to the end user. Injecting JavaScript into pages being served is far from passive and, at least in my eyes, is a violation of trust between the web host and the customer."

As noted by sister site TechRepublic, customers of GoDaddy were able to choose to opt-out of the tracking system. In order to do so, they needed to go to myh.godaddy.com, click the "..." button, "Help Us," and "Opt Out."

Once this has been achieved, the script is automatically removed from the webmaster's domain. However, this is no longer a requirement for customers.

After GoDaddy was made aware of concerns caused by the RUM program, the company has promised to turn off the JavaScript function with immediate effect. A GoDaddy spokesperson told ZDNet:

"We created a Real User Metrics (RUM) JavaScript to improve our hosting environment for our customers. The script is a non-invasive performance monitor that enables us to measure and track the performance of customer websites, and collects information, such as connection time and page load time. 

We only collect performance data, nothing more. We don't collect personal information. The data we collect is used to monitor our internal systems, optimize DNS resolution, improve network routing and server configurations, and help us improve the performance of our customers' websites.

After careful review of the concerns being raised around this program, we have decided to turn off the Javascript insertion on our hosting platform immediately.  We will reintroduce this program in the future, so that it is on an opt-in only basis.  We apologize for any confusion and inconvenience to our customers."

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards