Comcast Using JavaScript Injection To Serve Ads On Public Wi-Fi Hotspots

An anonymous reader writes: For some time now, Comcast has setting up public Wi-Fi hotspots, some of which are run on the routers of paying subscribers. The public hotspots are free, but not without cost: Comcast uses JavaScript to inject self-promotional ads into the pages served to users. "Security implications of the use of JavaScript can be debated endlessly, but it is capable of performing all manner of malicious actions, including controlling authentication cookies and redirecting where user data is submitted. ... Even if Comcast doesn't have any malicious intent, and even if hackers don't access the JavaScript, the interaction of the JavaScript with websites could "create" security vulnerabilities in websites, [EFF technologist Seth Schoen] said. "Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn't have them," Schoen said."

Hosts file solution?

[keith_nt4]

Maybe I'm missing some thing here but it seems like a edit to a local hosts file could resolve this.

Generically, for instance, if the ads injected were coming from ads.comcast.net one could simply add a line to the hosts file:

0.0.0.0 ads.comcast.net

Wouldn't this prevent the ads from loading to begin with? I mean sure it's a little more difficult on phones and tablets but regular PCs it should be at all difficult to make this edit.

Since I'm apparently in a generous mood, for windows users, open an "administrator command prompt" and paste in the following line. You should be able to save the changes. If not the you might have take off the read-only flag. Sorry, it's been a while since I set it up on a fresh install.

notepad c:\Windows\System32\drivers\etc\hosts

Or do like a real geek and pipe all network traffic coming in to windows through a (properly configured) pfSense virtual machine.