Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast Using JavaScript Injection To Serve Ads On Public Wi-Fi Hotspots

Posted by Soulskill on from the perfectly-in-character dept.

An anonymous reader writes: For some time now, Comcast has setting up public Wi-Fi hotspots, some of which are run on the routers of paying subscribers. The public hotspots are free, but not without cost: Comcast uses JavaScript to inject self-promotional ads into the pages served to users. "Security implications of the use of JavaScript can be debated endlessly, but it is capable of performing all manner of malicious actions, including controlling authentication cookies and redirecting where user data is submitted. ... Even if Comcast doesn't have any malicious intent, and even if hackers don't access the JavaScript, the interaction of the JavaScript with websites could "create" security vulnerabilities in websites, [EFF technologist Seth Schoen] said. "Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn't have them," Schoen said."

35 of 230 comments (clear)

  1. JavaScript by Anonymous Coward · · Score: 4, Insightful

    Yet another reason to disable JavaScript from your computing devices.

    1. Re:JavaScript by bondsbw · · Score: 5, Insightful

      Better yet, disable HTTP. This is a MITM injection attack and SSL was invented to help prevent this.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    2. Re:JavaScript by Anonymous Coward · · Score: 2, Informative

      honestly the number of times i have to whitelist a page to run javascript is surprisingly small. In fact, some even end up working better (I'm looking at you theonion.com and your regional paywall-after-a-certain-number-of-pageviews).

    3. Re:JavaScript by Anonymous Coward · · Score: 4, Informative

      A lot of browser addons like NotScript and NoScript even allow you to easily whitelist javascript permissions by domain trying to do so on a page, so if things are not happy you just click the icon, and click allow for the domains that are pertinent to the site and not the ad networks et al.

    4. Re:JavaScript by MacDork · · Score: 3, Informative

      Came here to say that. Would mod up. No points.

    5. Re:JavaScript by Anonymous Coward · · Score: 2, Informative

      That would be nice, but it's impossible to use the modern web and HTML5 without JavaScript.

      Just disable JavaScript from third party sites. When you browse your local news page there is no reason for them to pull in scripts from adtech, google-analytics or whatever.
      The pages that doesn't work when you disable external JavaScripts are just a handful and usually you just need to enable "samename-cdn.com" or similar because they store some stuff on another domain to distribute the load.

    6. Re:JavaScript by wonkey_monkey · · Score: 2

      No points.

      Or pronouns.

      --
      systemd is Roko's Basilisk.
    7. Re:JavaScript by thegarbz · · Score: 2

      Yes because often public wifi refuses to work altogether if you turn it off.

    8. Re:JavaScript by Anonymous Coward · · Score: 2, Informative

      > That would be nice, but it's impossible to use the modern web and HTML5 without JavaScript.

      Tell that to the 2.2 millions users that have made NoScript the 3rd most popular non-developer add-on for firefox.

  2. Copyright violation? by crow · · Score: 5, Interesting

    Does this violate the copyright of the sites the user is visiting? By modifying the content stream, they're creating a derivative work without authorization.

    On the other hand, user-controlled plugins and ad blockers do that all the time, so I wouldn't be too quick to make that argument in court.

    1. Re:Copyright violation? by thieh · · Score: 4, Insightful

      There is a subtle difference: user modification on visit is personal use and mostly not shared, what Comcast is doing is broadcasting modified content.

    2. Re:Copyright violation? by steppin_razor_LA · · Score: 3, Insightful

      I think it is.

      It is one thing to install software on your own computer that serves modified content. When you start serving the modified content to other people, I believe that creates the difference.

      If comcast can inject ads, then there would be no problem with ISPs offering "Advertising Filtering" proxy servers for their customers and serving them sanitized content.

      --
      Evolution: love it or leave it
    3. Re:Copyright violation? by taustin · · Score: 4, Informative

      And doing so for a commercial purpose. Which, in theory, could make it criminal.

    4. Re:Copyright violation? by taustin · · Score: 2

      Of course there'd be a problem with that. Comcast's users won't pay as much for ad free content as their customers - advertisers - will pay to shove ads down your throat.

    5. Re:Copyright violation? by Em+Adespoton · · Score: 5, Interesting

      And doing so for a commercial purpose. Which, in theory, could make it criminal.

      If I recall correctly, Comcast is currently arguing just this in court -- but for third parties stripping ads from their cable streams.

      I think they're going to try really hard to differentiate between the goose and the gander here.

    6. Re:Copyright violation? by gstoddart · · Score: 3, Informative

      As I recall, it's not free ... it's available to people who are already Comcast subscribers.

      In other words, this should be no different from any other context in which you connect to the interwebs via your Comcast service.

      Except Comcast is letting the people who host the routers pay the electrical bill, and injecting even more ads into it.

      And I definitely agree that modifying other people's content is getting into a sketchy area of copyright, and possibly stealing the ad revenue from those site owners.

      Because, if the people who actually own the sites aren't having their ads serves, but suddenly someone else's ads are showing up, then isn't Comcast just skimming from someone else's stuff?

      --
      Lost at C:>. Found at C.
    7. Re:Copyright violation? by Charliemopps · · Score: 4, Interesting

      Does this violate the copyright of the sites the user is visiting? By modifying the content stream, they're creating a derivative work without authorization.

      On the other hand, user-controlled plugins and ad blockers do that all the time, so I wouldn't be too quick to make that argument in court.

      I'd argue against that... except... by modifying the content en-route, they are likely pushing legitimate ad-content out of the users view. i.e. If I ran a search engine, and paid for that service by placing a banner add at the bottom advertising chicken wings... and then Comcast did their injection attack and pushed that add further down, they would most certainly be affecting my commercial revenue.

      If the user chose to block that add themselves, that would be entirely different. They made a choice to do so, or to scroll their screen. But this is an intermediary company forcing that content out of the users view for a profit. I'd say the EFF should throw up a page, visit it on one of these networks and then sue the living crap out of Comcast.

    8. Re:Copyright violation? by jamesjw · · Score: 4, Funny

      STFU

      Why is ComCast's marketing dept posting as 'AC'? :)

      --
      -- If at first you don't succeed, lie!
    9. Re:Copyright violation? by dugancent · · Score: 2

      Only leased routers do this, so the router is under ownership of Comcast and is rented to the end-user.

      --
      SJWs are the new boogeyman. -Me
    10. Re:Copyright violation? by sconeu · · Score: 2

      Please. Copyright is to be used *BY* the $BIG_CORPORATIONS against $LITTLE_PEOPLE and $SMALL_BUSINESS, not the other way around.

      That's why $BIG_CORPORATIONS bought the current laws!!!

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    11. Re:Copyright violation? by Anonymous Coward · · Score: 2, Interesting

      It's more serious. It violates the CFAA, since it injects code that make other computers do things they weren't indended to do (put advertising).

      The responsible people should be jailed.

    12. Re:Copyright violation? by Jason+Levine · · Score: 4, Funny

      Well, then obviously, you charge those ad distributors for a silver ad plan that gets by the filters.

      Then charge customers for a silver ad blocking plan that blocks them.

      But a gold ad plan will get by that.

      But a gold ad blocking plan will block that.

      But a platinum ad plan will get by even that....

      Queue Comcast's CEO singing "We're In The Money!"

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  3. so don't use them! by lophophore · · Score: 5, Funny

    Don't use random hot spots. It's like safe sex, only for your computer. Stay away from sketchy connections.

    --
    there are 3 kinds of people:
    * those who can count
    * those who can't
    1. Re:so don't use them! by dissy · · Score: 4, Funny

      Don't use random hot spots. It's like safe sex, only for your computer.

      [me] Aight baby, play with that packet. You know how I like it
      [ap] tee hee *beep*
      [me] oh yea, deeper inspection, deeper inspection! oh yea!
      [ap] *56k carrier sound*
      [me] That's what I like to hear! Now, I put on my robe and wizards hat
      [ap] ... *stp-broadcast* ...
      [me] baby-aye-pee you still there? Where'd ya go??

  4. Content Security Policy by Lightn · · Score: 4, Interesting

    It would be interesting to see what would happen if you browsed a website with Content Security Policy headers on a Comcast public Wi-Fi hotspot.

    The technology is new enough that the injection technology might not handle it and thus the browser would block the ad. But if they did, by changing the CSP headers, the website might have a stronger case for suing Comcast since they would be explicitly bypassing a security technology.

  5. Copyright violation? by j127 · · Score: 5, Insightful

    Yes, definitely. Also, it violates the policies of ad-free sites to not subject their visitors to ads. Websites will not be able to maintain their terms of service. For example: if you pay the website for an ad-free subscription, and Comcast then injects ads, your customers are screwed.

    An ad-blocker is for personal use -- kind of like marking a page in a book that you're reading or removing a picture because you don't want to see it. Systematic modification of copyrighted content before delivery to customers is definitely criminal.

  6. JavaScript by j127 · · Score: 4, Insightful

    That would be nice, but it's impossible to use the modern web and HTML5 without JavaScript. Maybe Privacy Badger or Ghostery can block it.

  7. Re:And this is why we're moving towards SSL only by sjames · · Score: 2

    That should go over really well for internet banking and other security sensitive uses.

  8. Windows 8 reverts the hosts file by tepples · · Score: 3, Interesting

    Maybe I'm missing some thing here but it seems like a edit to a local hosts file could resolve this.

    You're not the only one who uses hosts files like this. When Flash ads first appeared on Slashdot, I started blocking servers that send Flash ads. (I'll never buy Splunk because it was the first thing I ever saw advertised in a Flash ad.) I've since switched to click-to-play plug-ins for that, but I have written a few thoughts on how to make hosts file parsing more efficient than it currently is.

    Alex P. Kowalski (APK) has long been an advocate of using hosts files for DNS blacklisting and acceleration, and his tool for Windows aggregates multiple sources over a million lines long. It also looks up the IP addresses for commonly accessed sites and caches them locally. He claims that his tool is more efficient than DNS because the operating system's hosts file parser allegedly runs in kernel space (fewer context switches) and the most commonly accessed sites (good or bad) are at the top of the list.

    But lately, Windows Defender has been reverting the hosts file so that malware can't use the hosts file to redirect Facebook and the major webmails and "steal" users' credentials that way. You have to opt out of hosts file protection if you want to continue using APKware.

  9. Malicious by sunderland56 · · Score: 3

    Even if Comcast doesn't have any malicious intent

    Of course they have malicious intent; they are inserting ads where previously there were none. Isn't that malicious enough for you?

  10. Until today, I didn't see the point... by kylemonger · · Score: 5, Insightful

    ... of using https for everything. I do now.

  11. you don't either by Anonymous Coward · · Score: 3

    https everywhere

  12. Until today, I didn't see the point... by riceracer · · Score: 3, Insightful

    To bad you can't use https for slashdot. Redirects back to http. (And after all their own coverage of NSA spying?) FAIL.

  13. Comcast: Least popular company in the U.S. by Futurepower(R) · · Score: 2

    From the Wikipedia entry for Comcast:

    "In April 2014, Comcast was awarded the 2014 "Worst Company in America" award; an annual contest by the consumer affairs blog The Consumerist that runs a series of reader polls to determine the least popular company in America."

    More from the same Wikipedia article:

    In 2004 and 2007, the American Customer Satisfaction Index (ACSI) survey found that Comcast had the worst customer satisfaction rating of any company or government agency in the country, including the Internal Revenue Service.

  14. Re:Defetism by parkinglot777 · · Score: 3, Informative

    Now if those @#*$&! at Mozilla gave me that convenient checkbox to enable/disable Javascript without having to mess with about:config, I'd have one gripe less.

    Then you should use the NoScript plug-in which automatically blocks JavaScript from sites you visit (except certain white list sites and you may have to block them yourself). Besides, the plug-in remember what you have set it up (allow/not allow) even after the browser update (thump up for the developers to keep up with the browser). It is a simple workaround.