Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across the US. Comcast’s decision to inject data into websites raises security concerns and arguably cuts to the core of the ongoing net neutrality debate.
A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast’s Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.
The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity’s publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they’re at home are not affected, he said.
“We think it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast,” Douglas said.
The Comcast advertising campaign came to Ars’ attention after Ryan Singel, the co-founder of startup Contextly, was reading Mediagazer at a café in the North Beach neighborhood of San Francisco on Labor Day.
A small red advertisement saying “XFINITY WiFi Peppy” scooted across the bottom of the Mediagazer page and disappeared into the ether. It happened a few times, he said. Singel took screen shots of the advertisement loading and as it appeared on his screen. He captured some code, too.
“When a user requests to view a page, Comcast injects its JavaScript into the packets being returned by the real server,” Singel said during an instant-message chat.
A Comcast served house ad.
Singel’s suspicions were correct that Mediagazer didn’t place the ad there, and Mediagazer is none too happy about it. “Indeed, they were not ours,” Gabe Rivera, who runs Mediagazer and Techmeme, said in an e-mail. In another e-mail, he said, “someone else is inserting them in a sneaky way.”
Unwanted injections
Security implications of the use of JavaScript can be debated endlessly, but it is capable of performing all manner of malicious actions, including controlling authentication cookies and redirecting where user data is submitted.
Comcast’s Douglas says Comcast has nothing nefarious up its sleeve. What’s more, Comcast has multiple layers of security “based on industry best practices” to keep out hackers wanting to exploit the Xfinity network, he said.
Seth Schoen, the senior staff technologist for the Electronic Frontier Foundation, reviewed the data pulled by Singel and said that “there ended up being JavaScript in the page that was not intended by the server.”
Even if Comcast doesn’t have any malicious intent, and even if hackers don’t access the JavaScript, the interaction of the JavaScript with websites could “create” security vulnerabilities in websites, Schoen said. “Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn’t have them,” Schoen said in a telephone interview.
One way to prevent this from happening, he said, is for websites to encrypt and serve over HTTPS. But many sites do not do that.
Security expert Dan Kaminsky said in an e-mail that JavaScript injection has the potential to break “all sorts of stuff, in that you no longer know as a website developer precisely what code is running in browsers out there. You didn’t send it, but your customers received it.”
Full Story: Comcast Wi-Fi serving self-promotional ads via JavaScript injection | Ars Technica.