https://www.googletagmanager.com injected in all WHM Installations by cPanel Inc?

lorio

Well-Known Member
Feb 25, 2004
313
22
168
cPanel Access Level
Root Administrator
It looks cPanel Inc. is delivering GoogleTagmanager Script inside WHM.

I see that as a security risk and dataprivacy issue, when a thirdparty script is injected in the WHM console of every server.

Code:
    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
            new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
            j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
            'https://www.googletagmanager.com/gtm.j

The dataLayer contains an ID and certain license data.

Code:
DNSOnly:
window.COMMON.licenseType = 'standard';
window.COMMON.resellerType = 'reseller';
window.COMMON.resellerType = 'root';
window.mandatoryDataLayer = [{
                cpSessionId: window.COMMON.securityToken.substring(1),
                hasRootPrivileges: window.COMMON.hasRootPrivileges,
                resellerType: window.COMMON.resellerType,
                id: <SNIP ID>,
                licenseType: window.COMMON.licenseType,
                isDnsOnly: window.COMMON.isDnsOnly,
                serverProfile: "DNSONLY",
            }];
            

VPS:
        window.COMMON.licenseType = 'standard';
        window.COMMON.resellerType = 'reseller';
        window.COMMON.resellerType = 'root';


            window.mandatoryDataLayer = [{
                cpSessionId: window.COMMON.securityToken.substring(1),
                hasRootPrivileges: window.COMMON.hasRootPrivileges,
                resellerType: window.COMMON.resellerType,
                id: <SNIP ID>,
                licenseType: window.COMMON.licenseType,
                isDnsOnly: window.COMMON.isDnsOnly,
                serverProfile: "STANDARD",
 
Last edited:
  • Like
Reactions: letmein

cPanelAdamF

cPanel Product Owner
Staff member
Mar 21, 2013
286
124
168
Houston TX
cPanel Access Level
DataCenter Provider
Twitter
We, like many other organizations, deploy a tag management system. We use the information gleaned to make important business and product decisions in an effort to make your experience using our offerings better. These systems use the injection mechanism that you point out in order to operate. We designed our use of this technology to respect your privacy as well as assist us in discovering vital business intelligence. It's always a fine line to walk; therefore, we take security and operations seriously when implementing and configuring the tag management system. We restrict access to it carefully and strictly control any publication through it. As always, you can review our Privacy Policy and other amendments here.
 

lorio

Well-Known Member
Feb 25, 2004
313
22
168
cPanel Access Level
Root Administrator
Thanks for your answer. The preception of what marketing wants and security suggests, seems to be a bit distorted.
You are injecting a third party script (a JavaScript from a Google server not under the control of your company) into every WHM console.
The differentiation between your Website and Server and the panelsoftware installed and hosted by your customers is not clear.
What scripts are next when I login tomorrow? Scriptblocks on selfhosted panelsoftware seems to be the new normal.

Examples of compromised JavaScripts are nothing new.
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,046
111
118
Houston, TX
cPanel Access Level
Root Administrator
Hello! While you can disable interface analytics, configuration analytics cannot be disabled.


Warning:
In cPanel & WHM version 78 and later, we always collect Configuration Analytics for the server. We have classed this data as operational data that cPanel, L.L.C. requires in order to make vital business decisions.

This does not enable Interface Analytics or alter your participation (or choice not to participate) in that program.

For more information on what exact information we grab for analytics, please see the following article.

 

Duplika

Well-Known Member
Feb 26, 2005
81
9
158
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Twitter
Thanks for the update Anthony!
It's a pity we can't disable Google Analytics inserted at our WHM. Makes me want to disable Analytics alltogether instead of sharing useful information with cPanel.

Are we able to submit a feature request for this? Maybe reconsidering this makes more people interested in enabling Analytics at their servers.
 

cPanelAdamF

cPanel Product Owner
Staff member
Mar 21, 2013
286
124
168
Houston TX
cPanel Access Level
DataCenter Provider
Twitter
Our use of Google Tag Manager is to deliver the in-product survey found in the bottom right of WHM (2087) thus why you observed no effect to it when trying to disable Google Analytics.

You can disable participation in Google Analytics using the WHM » Configure cPanel Analytics feature in WHM (for server-wide) or from the slide-out to the right if you only want to operate on a user account. When either of those two options is set to NO, the analytics embeds are removed entirely from the UI. The uninstall script you cite will totally do it too, but we assume simply disabling the server setting is easier for most.

Starting with v98, we do distribute analytics tags in cpanel (2083) only for Jupiter users. This happens via a separate container embed, different from the one delivering the in-product survey, and is beholden to the same participation settings I described. The entire container tag is removed if you or your server owner chooses not to participate.
 
  • Like
Reactions: cPRex

Duplika

Well-Known Member
Feb 26, 2005
81
9
158
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Twitter
Our use of Google Tag Manager is to deliver the in-product survey found in the bottom right of WHM
Oh that seems like a small feature!
There are probably many people thinking you are forcing user tracking, and it's probably something accidental.

Hopefully it's integrated into your "cPanel Analytics" package, so it's either added or disabled as a whole.
 
Thread starter Similar threads Forum Replies Date
durangod Backups 3
H Backups 1