{"id":6401,"date":"2014-09-10T10:00:58","date_gmt":"2014-09-10T14:00:58","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=6401"},"modified":"2014-09-10T10:00:58","modified_gmt":"2014-09-10T14:00:58","slug":"comcast-wi-fi-serving-self-promotional-ads-via-javascript-injection","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/09\/10\/comcast-wi-fi-serving-self-promotional-ads-via-javascript-injection\/","title":{"rendered":"Comcast Wi-Fi serving self-promotional ads via JavaScript injection"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across the US. Comcast’s decision to inject data into websites raises security concerns and arguably cuts to the core of the ongoing net neutrality debate.<\/p>\n

A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast’s Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.<\/p>\n

The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity’s publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they’re at home are not affected, he said.<\/p>\n

“We think it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast,” Douglas said.<\/p>\n

\"\"<\/a><\/p>\n

The Comcast advertising campaign came to Ars’ attention after Ryan Singel, the co-founder of startup Contextly, was reading Mediagazer at a caf\u00e9 in the North Beach neighborhood of San Francisco on Labor Day.<\/p>\n

A small red advertisement saying “XFINITY WiFi Peppy” scooted across the bottom of the Mediagazer page and disappeared into the ether. It happened a few times, he said. Singel took screen shots of the advertisement loading and as it appeared on his screen. He captured some code, too.<\/p>\n

“When a user requests to view a page, Comcast injects its JavaScript into the packets being returned by the real server,” Singel said during an instant-message chat.<\/p>\n

\"\"<\/a><\/p>\n

A Comcast served house ad.<\/p>\n

 <\/p>\n

Singel’s suspicions were correct that Mediagazer didn’t place the ad there, and Mediagazer is none too happy about it. “Indeed, they were not ours,” Gabe Rivera, who runs Mediagazer and Techmeme, said in an e-mail. In another e-mail, he said, “someone else is inserting them in a sneaky way.”<\/p>\n

Unwanted injections<\/p>\n

Security implications of the use of JavaScript can be debated endlessly, but it is capable of performing all manner of malicious actions, including controlling authentication cookies and redirecting where user data is submitted.<\/p>\n

Comcast’s Douglas says Comcast has nothing nefarious up its sleeve. What’s more, Comcast has multiple layers of security “based on industry best practices” to keep out hackers wanting to exploit the Xfinity network, he said.<\/p>\n

Seth Schoen, the senior staff technologist for the Electronic Frontier Foundation, reviewed the data pulled by Singel and said that “there ended up being JavaScript in the page that was not intended by the server.”<\/p>\n

Even if Comcast doesn’t have any malicious intent, and even if hackers don’t access the JavaScript, the interaction of the JavaScript with websites could “create” security vulnerabilities in websites, Schoen said. “Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn’t have them,” Schoen said in a telephone interview.<\/p>\n

One way to prevent this from happening, he said, is for websites to encrypt and serve over HTTPS. But many sites do not do that.<\/p>\n

Security expert Dan Kaminsky said in an e-mail that JavaScript injection has the potential to break “all sorts of stuff, in that you no longer know as a website developer precisely what code is running in browsers out there. You didn’t send it, but your customers received it.”<\/p>\n

Full Story: Comcast Wi-Fi serving self-promotional ads via JavaScript injection | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9],"tags":[210,525,584],"class_list":["post-6401","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-comcast","tag-injection","tag-javascript"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1Ff","jetpack-related-posts":[{"id":7070,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/12\/11\/comcast-slapped-with-class-action-lawsuit-for-turning-customers-routers-into-public-hotspots\/","url_meta":{"origin":6401,"position":0},"title":"Comcast slapped with class-action lawsuit for turning customers’ routers into public hotspots","author":"NCCT","date":"December 11, 2014","format":false,"excerpt":"Comcast\u2019s controversial decision to transform its customers\u2019 wireless routers into public Wi-Fi hotspots has, predictably, landed the company in even more hot water. A pair of disgruntled customers recently filed a class-action lawsuit against the cable, television and Internet provider in San Francisco. Toyer Grear and Joycelyn Harris claim Comcast\u2026","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8378,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/06\/05\/comcast-customer-satisfaction-rating-plummets-again\/","url_meta":{"origin":6401,"position":1},"title":"Comcast customer satisfaction rating plummets again","author":"NCCT","date":"June 5, 2015","format":false,"excerpt":"Image: Aurich Lawson \/ Thinkstock Comcast's customer satisfaction scores have dropped again in all three triple-play categories, with the nation's largest cable and broadband company faring particularly poorly in pay-TV service. The American Customer Satisfaction Index's (ACSI) latest annual report on telecommunications and information, released today, places Comcast at the\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/06\/sad-trombone-is-sad-640x360.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/06\/sad-trombone-is-sad-640x360.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/06\/sad-trombone-is-sad-640x360.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":7615,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/12\/dailytech-comcast-employees-cant-stop-cussing-out-customers-woman-billed-as-b-word\/","url_meta":{"origin":6401,"position":2},"title":"Comcast Employees Can’t Stop Cussing out Customers, Woman Billed as ‘B’ Word","author":"NCCT","date":"February 12, 2015","format":false,"excerpt":"Lucky that Comcast has those local monopolies on high speed internet and cable television service, or it might actually suffer When you're a business who's caught harassing customers, swearing at customers, and engaging in acts that might be considered tantamout to fraud, you're likely sweating bullets as you may soon\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":9158,"url":"https:\/\/nccomputertech.com\/techtalk\/2017\/04\/23\/comcasts-privacy-policy\/","url_meta":{"origin":6401,"position":3},"title":"Comcast’s Privacy Policy","author":"NCCT","date":"April 23, 2017","format":false,"excerpt":"https:\/\/www.youtube.com\/watch?feature=player_detailpage&v=f61x1vqroaQ Denise Howell, Mike Keyes, Evan Brown and Matt Curtis go over the Comcast privacy policy, what is collected and how to opt-out of personalized advertising.","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/f61x1vqroaQ\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":8046,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/16\/att-but-not-verizon-and-comcast-sue-fcc-over-net-neutrality\/","url_meta":{"origin":6401,"position":4},"title":"AT&T, but not Verizon and Comcast, sue FCC over net neutrality","author":"NCCT","date":"April 16, 2015","format":false,"excerpt":"Out of the many lawsuits filed this week against the Federal Communications Commission, just one came from a major Internet service provider: AT&T. AT&T made no secret of its opposition to the FCC's net neutrality order, but it was reported last month that trade groups rather than individual ISPs would\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/att-logo-300x150.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9343,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/05\/27\/this-week-in-tech-668-how-many-cups-in-a-stone\/","url_meta":{"origin":6401,"position":5},"title":"This Week in Tech 668: How Many Cups in a Stone?","author":"NCCT","date":"May 27, 2018","format":false,"excerpt":"https:\/\/youtu.be\/i1oqaFyVcQ0 --The FBI wants you to reboot your router right now. FBI agents have gained control of a huge Russian botnet. If your router is affected you just need to reboot it. --Facebook and Russian ads - how should government react in the age of cyber warfare? --Amazon sells facial\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/i1oqaFyVcQ0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/6401","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=6401"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/6401\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=6401"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=6401"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=6401"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}