Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Advertising Security The Internet Wireless Networking Technology

Comcast Using JavaScript Injection To Serve Ads On Public Wi-Fi Hotspots 230

An anonymous reader writes: For some time now, Comcast has setting up public Wi-Fi hotspots, some of which are run on the routers of paying subscribers. The public hotspots are free, but not without cost: Comcast uses JavaScript to inject self-promotional ads into the pages served to users. "Security implications of the use of JavaScript can be debated endlessly, but it is capable of performing all manner of malicious actions, including controlling authentication cookies and redirecting where user data is submitted. ... Even if Comcast doesn't have any malicious intent, and even if hackers don't access the JavaScript, the interaction of the JavaScript with websites could "create" security vulnerabilities in websites, [EFF technologist Seth Schoen] said. "Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn't have them," Schoen said."
This discussion has been archived. No new comments can be posted.

Comcast Using JavaScript Injection To Serve Ads On Public Wi-Fi Hotspots

Comments Filter:
  • JavaScript (Score:4, Insightful)

    by Anonymous Coward on Monday September 08, 2014 @05:56PM (#47857275)

    Yet another reason to disable JavaScript from your computing devices.

    • JavaScript (Score:4, Insightful)

      by j127 ( 3658485 ) on Monday September 08, 2014 @06:31PM (#47857619)
      That would be nice, but it's impossible to use the modern web and HTML5 without JavaScript. Maybe Privacy Badger or Ghostery can block it.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        honestly the number of times i have to whitelist a page to run javascript is surprisingly small. In fact, some even end up working better (I'm looking at you theonion.com and your regional paywall-after-a-certain-number-of-pageviews).

      • Re:JavaScript (Score:4, Informative)

        by Anonymous Coward on Monday September 08, 2014 @07:29PM (#47858035)

        A lot of browser addons like NotScript and NoScript even allow you to easily whitelist javascript permissions by domain trying to do so on a page, so if things are not happy you just click the icon, and click allow for the domains that are pertinent to the site and not the ad networks et al.

        • Which is great if you only visit the same sites. I try to do something similar to what you request, but if you don't have a regular set of websites you visit, you are going to be constantly twiddling permissions.

          It's annoying enough when it's just me, but my parents/wife/family respond, "This website is broken, your setup drives me nuts, I just want things to work."

          • It's annoying enough when it's just me, but my parents/wife/family respond, "This website is broken, your setup drives me nuts, I just want things to work."

            Then disable disabling javascript for their users and keep their accounts in a sandbox, or on separate machines. If it's your network, and they've authorised you to manage security, backups and hardware then they get what you decide. Or they get to manage it themselves.

            They do understand binary?

      • Re: (Score:2, Informative)

        by Anonymous Coward

        That would be nice, but it's impossible to use the modern web and HTML5 without JavaScript.

        Just disable JavaScript from third party sites. When you browse your local news page there is no reason for them to pull in scripts from adtech, google-analytics or whatever.
        The pages that doesn't work when you disable external JavaScripts are just a handful and usually you just need to enable "samename-cdn.com" or similar because they store some stuff on another domain to distribute the load.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        > That would be nice, but it's impossible to use the modern web and HTML5 without JavaScript.

        Tell that to the 2.2 millions users that have made NoScript the 3rd most popular non-developer add-on for firefox. [mozilla.org]

        • Yes, use the NoScript [noscript.net] add-on for Firefox.

          But the subject is about Comcast abuse. Here is just one example, from Comcast's "Automatic Payment Terms & Conditions", retrieved a few minutes ago:

          "6. COMCAST SHALL BEAR NO LIABILITY OR RESPONSIBILITY FOR ANY LOSSES OF ANY KIND THAT YOU MAY INCUR AS A RESULT OF A PAYMENT MADE ON ITEMS INCORRECTLY BILLED..."

          Most people don't have time to read legal language. Many would not understand it fully. It is overly broad. And, in my experience, Comcast often tr
    • Re:JavaScript (Score:5, Insightful)

      by bondsbw ( 888959 ) on Monday September 08, 2014 @06:37PM (#47857671)

      Better yet, disable HTTP. This is a MITM injection attack and SSL was invented to help prevent this.

    • by thieh ( 3654731 )
      People still have JavaScript on while using a public wifi network? O_o
    • conservation of evil. It has to go somewhere. Comcast seems to be at the root of every bad deed these days. I think we figured out that google is dumping its evil quota on comcast.

  • Copyright violation? (Score:5, Interesting)

    by crow ( 16139 ) on Monday September 08, 2014 @05:56PM (#47857277) Homepage Journal

    Does this violate the copyright of the sites the user is visiting? By modifying the content stream, they're creating a derivative work without authorization.

    On the other hand, user-controlled plugins and ad blockers do that all the time, so I wouldn't be too quick to make that argument in court.

    • by thieh ( 3654731 ) on Monday September 08, 2014 @06:00PM (#47857305)
      There is a subtle difference: user modification on visit is personal use and mostly not shared, what Comcast is doing is broadcasting modified content.
      • by taustin ( 171655 ) on Monday September 08, 2014 @06:20PM (#47857501) Homepage Journal

        And doing so for a commercial purpose. Which, in theory, could make it criminal.

    • by steppin_razor_LA ( 236684 ) on Monday September 08, 2014 @06:05PM (#47857377) Journal

      I think it is.

      It is one thing to install software on your own computer that serves modified content. When you start serving the modified content to other people, I believe that creates the difference.

      If comcast can inject ads, then there would be no problem with ISPs offering "Advertising Filtering" proxy servers for their customers and serving them sanitized content.

      • by taustin ( 171655 )

        Of course there'd be a problem with that. Comcast's users won't pay as much for ad free content as their customers - advertisers - will pay to shove ads down your throat.

        • by Jason Levine ( 196982 ) on Tuesday September 09, 2014 @08:00AM (#47861007) Homepage

          Well, then obviously, you charge those ad distributors for a silver ad plan that gets by the filters.

          Then charge customers for a silver ad blocking plan that blocks them.

          But a gold ad plan will get by that.

          But a gold ad blocking plan will block that.

          But a platinum ad plan will get by even that....

          Queue Comcast's CEO singing "We're In The Money!"

    • by j127 ( 3658485 ) on Monday September 08, 2014 @06:29PM (#47857595)

      Yes, definitely. Also, it violates the policies of ad-free sites to not subject their visitors to ads. Websites will not be able to maintain their terms of service. For example: if you pay the website for an ad-free subscription, and Comcast then injects ads, your customers are screwed.

      An ad-blocker is for personal use -- kind of like marking a page in a book that you're reading or removing a picture because you don't want to see it. Systematic modification of copyrighted content before delivery to customers is definitely criminal.

    • by sjames ( 1099 )

      But Comcast is leading the user to believe that the page looks like their modified version. If the user mods the page with plugins, they know it isn't being displayed as I intended. I don't mind the user doing that, but I do mind an intermediary doing it.

      Perhaps a plugin that checks the integrity of a page against an embedded signed hash and launches a DOS against the ISP if it has been corrupted.

      • by Nite_Hawk ( 1304 )

        Oh, a DOS doesn't need to be launched, that would imply you are trying to circumvent the courts. Merely have the plugin send a DMCA take down notice to the content provider every time it detects that an unauthorized derivative work has been made and shared.

    • by Charliemopps ( 1157495 ) on Monday September 08, 2014 @06:35PM (#47857651)

      Does this violate the copyright of the sites the user is visiting? By modifying the content stream, they're creating a derivative work without authorization.

      On the other hand, user-controlled plugins and ad blockers do that all the time, so I wouldn't be too quick to make that argument in court.

      I'd argue against that... except... by modifying the content en-route, they are likely pushing legitimate ad-content out of the users view. i.e. If I ran a search engine, and paid for that service by placing a banner add at the bottom advertising chicken wings... and then Comcast did their injection attack and pushed that add further down, they would most certainly be affecting my commercial revenue.

      If the user chose to block that add themselves, that would be entirely different. They made a choice to do so, or to scroll their screen. But this is an intermediary company forcing that content out of the users view for a profit. I'd say the EFF should throw up a page, visit it on one of these networks and then sue the living crap out of Comcast.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        It's more serious. It violates the CFAA, since it injects code that make other computers do things they weren't indended to do (put advertising).

        The responsible people should be jailed.

    • There are no legal issues with an end user altering the presentation of what they receive to suit their needs. It's not like you're under contract to download all of the cross-site scripts today's hipster web developers burden their creations with. Injecting some Greasemonkey Javascript or blocking malicious code can be interpreted as a derivative work but there is no further distribution to other parties to make the case of damages through copyright infringement. This is commonly done with screen readers a

    • by Tablizer ( 95088 )

      Leave it to Comcast to test the boundaries of sleazy practices.

    • Okay, IANAL, but this is my understanding. If you're the copyright holder, nobody has the right to change your work without your permission (which may be a CC license or something).

      Copyrights in the US are registered and unregistered. Both are valid, but there's differences in the enforcement. If somebody violates your unregistered copyright, I believe you'd have to sue for actual losses, which in most cases is a whole lot below the filing fee to sue. If somebody violates a copyright you'd registered

  • by lophophore ( 4087 ) on Monday September 08, 2014 @06:02PM (#47857339) Homepage

    Don't use random hot spots. It's like safe sex, only for your computer. Stay away from sketchy connections.

    • Don't use random hot spots. It's like safe sex, only for your computer. Stay away from sketchy connections.

      It's even like not buying what is advertised. I won't.

    • by dissy ( 172727 ) on Monday September 08, 2014 @06:44PM (#47857729)

      Don't use random hot spots. It's like safe sex, only for your computer.

      [me] Aight baby, play with that packet. You know how I like it
      [ap] tee hee *beep*
      [me] oh yea, deeper inspection, deeper inspection! oh yea!
      [ap] *56k carrier sound*
      [me] That's what I like to hear! Now, I put on my robe and wizards hat
      [ap] ... *stp-broadcast* ...
      [me] baby-aye-pee you still there? Where'd ya go??

  • Did anyone catch the promise in the FrontPorch video ad that customers could use the technology to "gather valuable business intelligence"? Guess it doesn't only deliver ads... it ransacks the device!!!

  • I'm sure the terms and conditions you agree to when using their hotspots explicitly grant them permission to do so.

  • by Lightn ( 6014 ) on Monday September 08, 2014 @06:22PM (#47857521) Homepage

    It would be interesting to see what would happen if you browsed a website with Content Security Policy headers on a Comcast public Wi-Fi hotspot.

    The technology is new enough that the injection technology might not handle it and thus the browser would block the ad. But if they did, by changing the CSP headers, the website might have a stronger case for suing Comcast since they would be explicitly bypassing a security technology.

  • This must be illegal, since it modifies copyrighted content before delivery to the consumer. If this happens to your site, sue them for violating copyright. Can you imagine what it would do to a ad-free website's reputation to have some ads injected into it? This is an attack on web publishers.
  • Always make sure your session cookies are tagged with HttpOnly, so Javascript code has no access to them.

    From a user of a wifi hotspot's point of view, use a VPN or only browse HTTPS sites.

    • vpn. all the way.

      you see that stream of octets? you can't get into them!

      bwahahaha!

      now, it seems that comcast (my isp) drops my vpn connection every few hours. I'm working on a modem reboot system that keeps my network up but its a huge PITA that comcast resets my connection several times a day and it requires a full modem reboot to get it back again.

      still, I'll continue to use a vpn for many reasons. the 'opaque stream of octets' keeps their fingers out of my data, very nicely. they can't modify or rea

  • Maybe I'm missing some thing here but it seems like a edit to a local hosts file could resolve this.

    Generically, for instance, if the ads injected were coming from ads.comcast.net one could simply add a line to the hosts file:

    0.0.0.0 ads.comcast.net

    Wouldn't this prevent the ads from loading to begin with? I mean sure it's a little more difficult on phones and tablets but regular PCs it should be at all difficult to make this edit.

    Since I'm apparently in a generous mood, for windows users, open an "administrator command prompt"

    • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Monday September 08, 2014 @07:36PM (#47858083) Homepage Journal

      Maybe I'm missing some thing here but it seems like a edit to a local hosts file could resolve this.

      You're not the only one who uses hosts files like this. When Flash ads first appeared on Slashdot, I started blocking servers that send Flash ads. (I'll never buy Splunk because it was the first thing I ever saw advertised in a Flash ad.) I've since switched to click-to-play plug-ins for that, but I have written a few thoughts on how to make hosts file parsing more efficient than it currently is [pineight.com].

      Alex P. Kowalski (APK) has long been an advocate of using hosts files for DNS blacklisting and acceleration, and his tool for Windows [blogspot.com] aggregates multiple sources over a million lines long. It also looks up the IP addresses for commonly accessed sites and caches them locally. He claims that his tool is more efficient than DNS because the operating system's hosts file parser allegedly runs in kernel space (fewer context switches) and the most commonly accessed sites (good or bad) are at the top of the list.

      But lately, Windows Defender has been reverting the hosts file so that malware can't use the hosts file to redirect Facebook and the major webmails and "steal" users' credentials that way. You have to opt out of hosts file protection [mvps.org] if you want to continue using APKware.

      • Or better yet...turn off Windows Defender and disable the services it needs to run. Yes, Windows will complain at you. But you can forcibly turn off those warnings as well. And if the warnings do pop up and annoy you, you can disable the service that shows the warnings as well. It's my computer, I will do whatever I want to with it, and the OS will let me, or I will modify it until it does.
    • by penix1 ( 722987 )

      You forgot a step if you are running 8.*. If you only do what you have, then Windows Defender will reject your edits as being "malicious".

      See here to fix that:

      http://winhelp2002.mvps.org/ho... [mvps.org]

  • Sometimes when I log into Yahoo mail (https log-in page), the secure icon in Firefox changes from padlock to exclamation mark. Same problem on Twitter, the https turns into an exclamation mark. This is a permanent problem on Google Image search. The worst thing about this problem is in Yahoo. When I press tab and am about to fill in my password, the caret jumps from password field to username field, which means part of my username now has appended to it part of my password. I only notice that after hitting
    • Why do you think this would be your ISP and not some malware on your computer or a neighbor phishing you? Have you bothered inspecting the traffic to see what gets sent back and forth?
    • Sometimes when I log into Yahoo mail (https log-in page), the secure icon in Firefox changes from padlock to exclamation mark. Same problem on Twitter, the https turns into an exclamation mark. This is a permanent problem on Google Image search. The worst thing about this problem is in Yahoo. When I press tab and am about to fill in my password, the caret jumps from password field to username field, which means part of my username now has appended to it part of my password. I only notice that after hitting

  • by sunderland56 ( 621843 ) on Monday September 08, 2014 @08:00PM (#47858205)

    Even if Comcast doesn't have any malicious intent

    Of course they have malicious intent; they are inserting ads where previously there were none. Isn't that malicious enough for you?

  • by kylemonger ( 686302 ) on Monday September 08, 2014 @08:36PM (#47858407)
    ... of using https for everything. I do now.
  • You just can't make this stuff up, Doyle (via Holmes) was right:

    "We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.

  • If browsers treated HTTP GET nowadays like they have treated HTTP POST (i.e. pop up an annoying modal dialog that says "This connection is untrusted. Are you sure you want to continue?"), I daresay this would motivate everyone to move to HTTPS.

    The problem is the web of trust and the cost of getting certificates. There needs to be a mechanism for getting a free or trivial cost certificate if you are not a corporation.

Life is a whim of several billion cells to be you for a while.

Working...