https://www.googletagmanager.com injected in all WHM Installations by cPanel Inc?

lorio

Well-Known Member
Feb 25, 2004
300
14
168
cPanel Access Level
Root Administrator
It looks cPanel Inc. is delivering GoogleTagmanager Script inside WHM.

I see that as a security risk and dataprivacy issue, when a thirdparty script is injected in the WHM console of every server.

Code:
    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
            new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
            j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
            'https://www.googletagmanager.com/gtm.j

The dataLayer contains an ID and certain license data.

Code:
DNSOnly:
window.COMMON.licenseType = 'standard';
window.COMMON.resellerType = 'reseller';
window.COMMON.resellerType = 'root';
window.mandatoryDataLayer = [{
                cpSessionId: window.COMMON.securityToken.substring(1),
                hasRootPrivileges: window.COMMON.hasRootPrivileges,
                resellerType: window.COMMON.resellerType,
                id: <SNIP ID>,
                licenseType: window.COMMON.licenseType,
                isDnsOnly: window.COMMON.isDnsOnly,
                serverProfile: "DNSONLY",
            }];
            

VPS:
        window.COMMON.licenseType = 'standard';
        window.COMMON.resellerType = 'reseller';
        window.COMMON.resellerType = 'root';


            window.mandatoryDataLayer = [{
                cpSessionId: window.COMMON.securityToken.substring(1),
                hasRootPrivileges: window.COMMON.hasRootPrivileges,
                resellerType: window.COMMON.resellerType,
                id: <SNIP ID>,
                licenseType: window.COMMON.licenseType,
                isDnsOnly: window.COMMON.isDnsOnly,
                serverProfile: "STANDARD",
 
Last edited:

cPanelAdamF

cPanel Product Owner
Staff member
Mar 21, 2013
248
62
103
Houston TX
cPanel Access Level
DataCenter Provider
Twitter
We, like many other organizations, deploy a tag management system. We use the information gleaned to make important business and product decisions in an effort to make your experience using our offerings better. These systems use the injection mechanism that you point out in order to operate. We designed our use of this technology to respect your privacy as well as assist us in discovering vital business intelligence. It's always a fine line to walk; therefore, we take security and operations seriously when implementing and configuring the tag management system. We restrict access to it carefully and strictly control any publication through it. As always, you can review our Privacy Policy and other amendments here.
 

lorio

Well-Known Member
Feb 25, 2004
300
14
168
cPanel Access Level
Root Administrator
Thanks for your answer. The preception of what marketing wants and security suggests, seems to be a bit distorted.
You are injecting a third party script (a JavaScript from a Google server not under the control of your company) into every WHM console.
The differentiation between your Website and Server and the panelsoftware installed and hosted by your customers is not clear.
What scripts are next when I login tomorrow? Scriptblocks on selfhosted panelsoftware seems to be the new normal.

Examples of compromised JavaScripts are nothing new.
 
Thread starter Similar threads Forum Replies Date
durangod Data Protection 3
H Data Protection 1