Comcast Using JavaScript Injection To Serve Ads On Public Wi-Fi Hotspots

← Back to Stories (view on slashdot.org)

Comcast Using JavaScript Injection To Serve Ads On Public Wi-Fi Hotspots

Posted by Soulskill on Monday September 8, 2014 @10:52AM from the perfectly-in-character dept.

An anonymous reader writes: For some time now, Comcast has setting up public Wi-Fi hotspots, some of which are run on the routers of paying subscribers. The public hotspots are free, but not without cost: Comcast uses JavaScript to inject self-promotional ads into the pages served to users. "Security implications of the use of JavaScript can be debated endlessly, but it is capable of performing all manner of malicious actions, including controlling authentication cookies and redirecting where user data is submitted. ... Even if Comcast doesn't have any malicious intent, and even if hackers don't access the JavaScript, the interaction of the JavaScript with websites could "create" security vulnerabilities in websites, [EFF technologist Seth Schoen] said. "Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn't have them," Schoen said."

6 of 230 comments (clear)

Min score:

Reason:

Sort:

Copyright violation? by crow · 2014-09-08 10:56 · Score: 5, Interesting

Does this violate the copyright of the sites the user is visiting? By modifying the content stream, they're creating a derivative work without authorization.
On the other hand, user-controlled plugins and ad blockers do that all the time, so I wouldn't be too quick to make that argument in court.
1. Re:Copyright violation? by Em+Adespoton · 2014-09-08 11:30 · Score: 5, Interesting
  
  And doing so for a commercial purpose. Which, in theory, could make it criminal.
  If I recall correctly, Comcast is currently arguing just this in court -- but for third parties stripping ads from their cable streams.
  I think they're going to try really hard to differentiate between the goose and the gander here.
2. Re:Copyright violation? by Charliemopps · 2014-09-08 11:35 · Score: 4, Interesting
  
  Does this violate the copyright of the sites the user is visiting? By modifying the content stream, they're creating a derivative work without authorization.
  On the other hand, user-controlled plugins and ad blockers do that all the time, so I wouldn't be too quick to make that argument in court.
  I'd argue against that... except... by modifying the content en-route, they are likely pushing legitimate ad-content out of the users view. i.e. If I ran a search engine, and paid for that service by placing a banner add at the bottom advertising chicken wings... and then Comcast did their injection attack and pushed that add further down, they would most certainly be affecting my commercial revenue.
  If the user chose to block that add themselves, that would be entirely different. They made a choice to do so, or to scroll their screen. But this is an intermediary company forcing that content out of the users view for a profit. I'd say the EFF should throw up a page, visit it on one of these networks and then sue the living crap out of Comcast.
3. Re:Copyright violation? by Anonymous Coward · 2014-09-08 14:28 · Score: 2, Interesting
  
  It's more serious. It violates the CFAA, since it injects code that make other computers do things they weren't indended to do (put advertising).
  The responsible people should be jailed.
Content Security Policy by Lightn · 2014-09-08 11:22 · Score: 4, Interesting

It would be interesting to see what would happen if you browsed a website with Content Security Policy headers on a Comcast public Wi-Fi hotspot.
The technology is new enough that the injection technology might not handle it and thus the browser would block the ad. But if they did, by changing the CSP headers, the website might have a stronger case for suing Comcast since they would be explicitly bypassing a security technology.
Windows 8 reverts the hosts file by tepples · 2014-09-08 12:36 · Score: 3, Interesting

Maybe I'm missing some thing here but it seems like a edit to a local hosts file could resolve this.
You're not the only one who uses hosts files like this. When Flash ads first appeared on Slashdot, I started blocking servers that send Flash ads. (I'll never buy Splunk because it was the first thing I ever saw advertised in a Flash ad.) I've since switched to click-to-play plug-ins for that, but I have written a few thoughts on how to make hosts file parsing more efficient than it currently is.
Alex P. Kowalski (APK) has long been an advocate of using hosts files for DNS blacklisting and acceleration, and his tool for Windows aggregates multiple sources over a million lines long. It also looks up the IP addresses for commonly accessed sites and caches them locally. He claims that his tool is more efficient than DNS because the operating system's hosts file parser allegedly runs in kernel space (fewer context switches) and the most commonly accessed sites (good or bad) are at the top of the list.
But lately, Windows Defender has been reverting the hosts file so that malware can't use the hosts file to redirect Facebook and the major webmails and "steal" users' credentials that way. You have to opt out of hosts file protection if you want to continue using APKware.