godotxc.com is using nefarious code

Karlsson · Mon Aug 21, 2023 11:48 am

Just a heads up that the new resource store run by stayathomedev uses nefarious code that uses a backdoor making your browser connect with a multitude of other domains without first having you accept the sales of your private information.

This is normally penalized by 1-2 euros per visit within the European Union, and there are no excuses for selling this data without entering an agreement with the visitors beforehand.

See this as something that can be remedied before there's serious monetary repercussions.

The people that have been exploited so far without their knowledge should get some kind of recompense or amends.

dumbOldMan · Mon Aug 21, 2023 1:07 pm

And where did you find these information? is the source reliable? or arent you just here to tamper his face?

Karlsson · Mon Aug 21, 2023 3:44 pm

dumbOldMan wrote: ↑Mon Aug 21, 2023 1:07 pm And where did you find these information? is the source reliable? or arent you just here to tamper his face?

You can easily visit the site and see for yourself, it's not hidden. Check if the site uses your browser/computer to contact other domains without first asking you for permission to give your information to those companies. (Domains that are not under the control of godotxc.)

It might be legal in some countries to abuse users like that, but it has to be legal in every country that allows you to view it, and is especially harshly enforced on commercial sites that earn money from visits and sales.

DaveTheCoder · Tue Aug 22, 2023 7:06 pm

You can easily visit the site and see for yourself,

I did, but I didn't get any browser warnings.

Check if the site uses your browser/computer to contact other domains

Which domains?

Karlsson · Sat Sep 02, 2023 7:17 am

DaveTheCoder wrote: ↑Tue Aug 22, 2023 7:06 pm Which domains?

Code: Select all

stats.wp.com
www.googletagmanager.com
assets.mailerlite.com
fonts.gstatic.com
fonts.googleapis.com
q.stripe.com
r.stripe.com
m.stripe.com
m.stripe.network
js.stripe.com
pixel.wp.com

They are all tracking domains, and the site is not clear that it is selling customers data to those companies or that it even uses their browsers as a backdoor to communicate with those domains that are not under any control of godotxc.

It is unlawful under GDPR to do so, and someone (not me, because I'm here trying to prevent it) will file a complaint. The complaint will take 30 days, and there will be an estimation for how many views the page has recieved and the company behind godotxc will get a fine of about 1 eur per view + some percentage of turnaround.

It is a lot more serious than it seems, despite it being common trackers and data brokers.

megalomaniak · Sat Sep 02, 2023 3:21 pm

*.wp.com is just wordpress, which is likely used as the CMS for the site. stripe doesn't show up to me here. The rest, yeah. mailer is obviously for mailing list and gstatic along with googleapi's is, well, google. Bog standard stuff. There's far more egregious sites out there, bazillions of them.

DaveTheCoder · Sat Sep 02, 2023 5:30 pm

Bog

What is that?

megalomaniak · Sun Sep 03, 2023 12:56 pm

bog-standard - ordinary or basic. Relying on content delivery networks that host scripts and resources or offer specific services such as the mailing list subscription are ordinary nowadays. It's not 1998 anymore.

I do get where the OP is coming from tho, if a site wants to offer a service I'd rather they host it themselves. I'm willing to dedicate some trust towards a specific party themselves but not very keen on trusting dozens or more third parties, especially hidden ones either.

Karlsson · Sun Sep 03, 2023 2:13 pm

megalomaniak wrote: ↑Sat Sep 02, 2023 3:21 pm There's far more egregious sites out there, bazillions of them.

Yes, but it's not about that at all. Beyond the user having the right to know who accesses their computer directly and indirectly, it is against the law, and very expensive for commercial sites that doesn't care. The law doesn't have a an egregious scale, and you don't get away from these fines just because your company is in another country. All countries have debt collectors.

megalomaniak · Sun Sep 03, 2023 6:20 pm

So I looked it up, stripe didn't show up for me since I wasn't trying to buy anything from there. It's a payment processing service. Closest thing to unwarranted tracking there is google. And that's likely for basic search services. I don't see anything that's nefariously tracking users for any sort of data commerce to third parties in there.

Karlsson wrote: ↑Sun Sep 03, 2023 2:13 pm Beyond the user having the right to know who accesses their computer directly and indirectly, it is against the law, and very expensive for commercial sites that doesn't care. The law doesn't have a an egregious scale, and you don't get away from these fines just because your company is in another country. All countries have debt collectors.

That's not really true, like it or not(and I don't) but exceptions are given be it by the GDPR or any other equivalents. A payment service such as this stripe or the mailer stuff, they all need to gather a minimum of data for the function of the service provided and transfer that across to their servers. There are allowances for this in all this sort of legislation.

And yes, there is a scale of 'egregiousness' based on what is considered vital for function of services and what is not.