Posted on Dec 28, 2016 by Caleb Chen

Comcast still uses MITM javascript injection to serve unwanted ads and messages




For years, Comcast and other large telecommunication companies around the world have injected javascript into your web browsing experience to serve advertisements and account notices. Their ability to do this stems from their upstream position as your Internet Service Provider (ISP). While Comcast is only currently using their javascript injection ability to serve customer account related information, the same message sending vector could be used to serve phishing expeditions, or other types of attacks. Not to mention that whoever your ISP is has access to your browsing history, your search history, your entire internet history unless you use a VPN. Some, like AT&T, even brazenly sold parts of this information for advertising profit unless you explicitly paid them not to – a pay-for-privacy scheme.

A long history of Comcast ads via MITM Javascript injections

Comcast Xfinity popup

The evidence shows that they’ve been doing this since 2014 and earlier. The ISP started to inject code onto the screens of millions of devices connected to Xfinity via free public wireless hotspots. Because they were free, the practice raised both security and net neutrality concerns.

Charlie Douglas, a spokesperson for Comcast, told Ars Technica why they would continue to inject unwanted ads and messages into their users’ web browsers:

“We think it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast.”

Douglas also reiterated that paying users wouldn’t receive such injected ads or messages at their home. Or at least that was company policy in 2014. Fast forward over two years later, and company policy has clearly changed. Unwanted man-in-the-middle (MITM) code insertion now happens in Xfinity connected homes, as well – a stark reminder that such an attack vector exists. Simply put, this is a centralized vulnerability that could be easily exploited by law enforcement or other nefarious actors.

About Caleb Chen

Caleb Chen is a digital currency and privacy advocate who believes we must #KeepOurNetFree, preferably through decentralization. Caleb holds a Master’s in Digital Currency from the University of Nicosia as well as a Bachelor’s from the University of Virginia. He feels that the world is moving towards a better tomorrow, bit by bit by Bitcoin.


VPN Service

Leave a Reply

Your email address will not be published. Required fields are marked *

5 Comments

  1. phatkatmeow

    That’s ok, their code is being used to piggy-bag and help thousands across firewalls to fr.. stuff.

    11 months ago
    Reply
  2. ich persönlich

    Maybe each website owner should add some javascript to their website which checks for those comcast insertions. In case it finds it, bombard the server with requests from the client.

    11 months ago
    Reply
  3. Roy

    I am in Belgium with Proximus (Previously Belgacom, what was the country national ISP), and they are doing exactly the same thing.

    11 months ago
    Reply
  4. عمر

    Is there a section in their TOS that allows them to do so?

    10 months ago
    Reply
  5. Lolerbot

    Here’s an interesting legal tidbit. Comcast may want to seek legal advise on this. The 1998 DMCA put into place 17 U.S. Code § 512 – Limitations on liability relating to material online. In this law, it only provides the internet provider protection from prosecution and damages from copyright infringement if “the material is transmitted through the system or network without modification of its content.”

    This means to me that injecting code into a illegally transmitted and copyrighted html page would put them outside the safe harbor provisions of the DMCA and make them potentially liable for damages, but then again, they should talk to one of their army of intellectual property attorneys to make sure.

    10 months ago
    Reply