Injection of WTF



  • Where I am Comcast is the main ISP and I have been happily talking to them with an old Linksys DOCSIS 2.0 cable modem for many years. (Yes its an outdated Modem, but it works and I wasn't complaining about the link speed I have so why pay money for something I don't "need"?). This year however Comcast has been pushing for its subscribers to move to a DOCSIS 3.0 compatible modem and while I am not really conversant with the technology I do know that there are benefits of greater potential speed, and also better reliability (especially if everyone in the neighbourhood is also at the 3.0 level), even though theoretically a DOCSIS 2.0 modem does work on a 3.0 network.

    As a part of their push Comcast sent out a couple of letters this year suggesting that I change my modem over, which I promptly ignored. In the last 2 weeks though they have upped their game and this is where the WTF?!?!?!? comes into (triple) play. Comcast decided that the only way to get my attention was to inject a floating pop-up message into my internet feed as I was browsing a website:

    [IMG]http://i.imgur.com/5AXIwR8.png?1[/IMG]

    I don't know what is the biggest WTF:

    1. That the scary message says that my modem will stop working by a certain date, even though a DOCSIS 3.0 system should be able to fall back to the 2.0 standard

    2. That Comcast processes my web feeds to the point that they can inject whatever they want (in this case the pop-up was generated by an injected javascript method)


    Bonus WTF .. here is the alert code here is the alert code


  • Discourse touched me in a no-no place

    @OzPeter said:

    That Comcast processes my web feeds to the point that they can inject whatever they want (in this case the pop-up was generated by an injected javascript method)
    I note that their PRIVACY STATEMENT has nothing to say on the matter... In the UK Phorm & BT got their fingers bitten over doing much the same thing


  • Trolleybus Mechanic



  • How is that even legal? They couldn't think of a better channel to relay that information to you? Comcast is very special.


  • Trolleybus Mechanic

    @Dogsworth said:

    How is that even legal? They couldn't think of a better channel to relay that information to you? Comcast is very special.
    ISP? Legality? BWAHAHAHAHHAHAHAHAHAHAAHAH!



  • @Dogsworth said:

    How is that even legal? They couldn't think of a better channel to relay that information to you? Comcast is very special.
    Well they did send me at least 2 letters before they hijacked my internet feed.



  • @PJH said:

    In the UK Phorm & BT got their fingers bitten over doing much the same thing

    So much phail on every level.



  • @OzPeter said:

    Well they did send me at least 2 letters before they hijacked my internet feed.

    I guess I was thinking more along the lines of:

    1. A phone call, maybe even leaving a message (which companies never do)
    2. Write a message on your bill
    3. Telegram
    4. Smoke signals
    5. Anything but intercepting your traffic and injecting crap into it


  • @Dogsworth said:

    How is that even legal? They couldn't think of a better channel to relay that information to you? Comcast is very special.
     

    Agreed.  I've always thought that the US is too litigious, but this is the sort of thing that they legitimately ought to get sued over.



  • @PJH said:

    In the UK Phorm & BT got their fingers bitten over doing much the same thing
    There's no comparison. Phorm was adware in the exchange. In this case, it's a message that needs to be passed on, not spam. Simply sending web traffic to a redirect might have been better, but the injection is slicker. I have no idea what anyone's objecting to. In what way does it invade your privacy? It's the equivalent of the postman putting an extra envelope through your door, rather than, as it seems to be being construed, opening your post and writing on the bottom.



  • @TDWTF123 said:

    [I have no idea what anyone's objecting to. In what way does it invade your privacy? It's the equivalent of the postman putting an extra envelope through your door, rather than, as it seems to be being construed, opening your post and writing on the bottom.
    Comcast intercepted the HTTP stream from the website I was reading, modified it and forwarded onto me the modified data as if it was the original data requested by the http GET that I generated. How is that not the postman opening a letter addressed to me, writing on it and sealing it up as if the original sender had written on the letter themselves? This is why its called injection



  • @OzPeter said:

    @TDWTF123 said:
    [I have no idea what anyone's objecting to. In what way does it invade your privacy? It's the equivalent of the postman putting an extra envelope through your door, rather than, as it seems to be being construed, opening your post and writing on the bottom.
    Comcast intercepted the HTTP stream from the website I was reading, modified it and forwarded onto me the modified data as if it was the original data requested by the http GET that I generated. How is that not the postman opening a letter addressed to me, writing on it and sealing it up as if the original sender had written on the letter themselves? This is why its called injection
    If it was an HTTPS session, sure, I could see your point. But to inject something into a simple HTTP request is a bit different.


    Am I missing something on the technical side? All they need to do is wait for you to request an HTML page, parse the stream as far as the headers and add their bit of javascript, then serve the rest as normal.


    I really can't see why anyone would object to that. I'd object like hell if they were injecting spam, or using it for everyday communication, but for the occasional important message, it seems reasonable.


    In general, I'm fine with the idea that an ISP should impart important information via either redirection or injection. Would you be happier if they'd redirected to an entirely different site to give the same message?



  • I only object because they aren't going far enough. It needs to modify the request into a file download and send you the Very Important Provider Message™ as an .XLSX file, causing your browser to open Microsoft Excel.



  • @TDWTF123 said:

    @OzPeter said:
    @TDWTF123 said:
    [I have no idea what anyone's objecting to. In what way does it invade your privacy? It's the equivalent of the postman putting an extra envelope through your door, rather than, as it seems to be being construed, opening your post and writing on the bottom.
    Comcast intercepted the HTTP stream from the website I was reading, modified it and forwarded onto me the modified data as if it was the original data requested by the http GET that I generated. How is that not the postman opening a letter addressed to me, writing on it and sealing it up as if the original sender had written on the letter themselves? This is why its called injection
    If it was an HTTPS session, sure, I could see your point. But to inject something into a simple HTTP request is a bit different.

    OK, so it's the post man tacking on a message at the bottom of a postcard rather than a letter.  That is still a problem due to it being injection.

    @TDWTF123 said:

    Would you be happier if they'd redirected to an entirely different site to give the same message?

    Very yes, but only on the first request.



  • @locallunatic said:

    OK, so it's the post man tacking on a message at the bottom of a postcard rather than a letter.  That is still a problem due to it being injection.
    More like the postman writing a message under the address on an envelope. But it's not entirely the same, either. How about the postman using a large needle to literally inject a rolled-up note inside an envelope?


    Sure, if someone was sitting watching your browsing, and deciding when to send the message, that would be invasive. But for a server to scan the beginning of a file doesn't seem to have anything of that nature in it. Not only does the server not care what page it's interfering with, but if it was sentient and did care, it's sending you the file anyway so could look all it wants.



  • @TDWTF123 said:

    Am I missing something on the technical side? All they need to do is wait for you to request an HTML page, parse the stream as far as the headers and add their bit of javascript, then serve the rest as normal.
    From memory the script was injected near the bottom of the page (wish I had saved the entire page now), so comcast did not just read to the headers, insert their stream and continue on.

    Technically what Comcast did was trivial (especially as it was HTTP), but IHMO the wrong thing to do. The Internets is predicated on a client asking a server for a file and that file being delivered as is to the client. Anything else can be construed as a MITM attack.

    But lets look at what they did:
    1. They identified my account as not having a DOCSIS 3.0 modem

    2. They pushed all internet traffic through a proxy server that looked for non-DOCSIS 3 accounts

    3. The proxy server parsed the HTTP stream and (where required) injected their alert script into the stream (and logged when the user had cleared the alert from their screen - I only saw the alert twice in the last week or so)



    What I think they should have done is have that proxy server simply redirect every n'th web access to the comcast page saying "upgrade or else" and then allow me to continue onto my desired page. From what I understand this is not really hard technology to do. This would alleviate the potential charges of MITM, especially as what they are doing has been associated in the past with ISP injecting ads rather than displaying important messages.



  • @OzPeter said:

    What I think they should have done is have that proxy server simply redirect every n'th web access to the comcast page saying "upgrade or else" and then allow me to continue onto my desired page. From what I understand this is not really hard technology to do.
    Nearly every public WiFi hotspot I've ever used does this – or something very much like it – to their TOS page on the first attempt to access a web site through it. Or tries to; if the site you're trying to access uses https, it fails, you can't accept the hotspot's TOS, and you can't access anything (thanks, https-everywhere).



  • @OzPeter said:

    Anything else can be construed as a MITM attack.
    MITM? That's what they do. Their reason for being. It's not like, it is that. The ISP is quite literally the MITM. (OK, almost literally. They're the EntityITM.) But it's not an attack.

    @OzPeter said:

    They identified my account as not having a DOCSIS 3.0 modem
    Yes. And? Is that not something they have to do when they negotiate a connection with your modem?
    @OzPeter said:
    They pushed all internet traffic through a proxy server that looked for non-DOCSIS 3 accounts
    Eh? Surely they just pushed noncompliant accounts' traffic that way, given that they already knew who was and was not compliant? And even then, they don't need to push 'all' your internet traffic that way. Just a single http request, every now and again.
    @OzPeter said:
    The proxy server parsed the HTTP stream and (where required) injected their alert script into the stream (and logged when the user had cleared the alert from their screen - I only saw the alert twice in the last week or so)
    OK. What's wrong with them doing that? Is it better if instead of doing that they don't serve the page at all, but instead serve a completely different one? What the hell difference does it make to anything?

    @OzPeter said:

    what they are doing has been associated in the past with ISP injecting ads rather than displaying important messages.
    Insert here an analogy involving not sending email because email has been used for spam.



  • @TDWTF123 said:

    @OzPeter said:
    The proxy server parsed the HTTP stream and (where required) injected their alert script into the stream (and logged when the user had cleared the alert from their screen - I only saw the alert twice in the last week or so)
    OK. What's wrong with them doing that? Is it better if instead of doing that they don't serve the page at all, but instead serve a completely different one?

    Very yes they should be pointing you to a different page.  One that tells you that it is a different page and why.  You seem to have a different outlook on the MITM attack (yes it is an attack even if not a damaging one) so instead lets point out that they are inserting javascript to display their thing.  That means it won't display at all for those who either disable javascript or only allow it from specified domains.



  • @locallunatic said:

    Very yes they should be pointing you to a different page.  One that tells you that it is a different page and why.  You seem to have a different outlook on the MITM attack (yes it is an attack even if not a damaging one) so instead lets point out that they are inserting javascript to display their thing.  That means it won't display at all for those who either disable javascript or only allow it from specified domains.
    I'm happy with technical reasons why the redirect might be better. I just can't see a difference when it comes to privacy. And I have to say, I still don't see why you class a MITM change as an attack if it causes no harm.



  • @OzPeter said:

    @TDWTF123 said:
    [I have no idea what anyone's objecting to. In what way does it invade your privacy? It's the equivalent of the postman putting an extra envelope through your door, rather than, as it seems to be being construed, opening your post and writing on the bottom.
    Comcast intercepted the HTTP stream from the website I was reading, modified it and forwarded onto me the modified data as if it was the original data requested by the http GET that I generated. How is that not the postman opening a letter addressed to me, writing on it and sealing it up as if the original sender had written on the letter themselves? This is why its called injection
    It probably bothers you because it's a reminder that they could be watching everything you do. They are. It's nearly certain that at some point in your life, some low-level ISP employee is going to make some flippant remark about the stupid trinket you just bought on eBay as it flashes by in the log. As time goes on, it also seems more likely that they are going to 500 the response of one of their competitor's websites.



  • @OzPeter said:

    I don't know what is the biggest WTF:

    1. That the scary message says that my modem will stop working by a certain date, even though a DOCSIS 3.0 system should be able to fall back to the 2.0 standard

    Only if they're going to allow DOCSIS 2.0, and given the message and the fact that 2.0 has been hacked to hell and back, it's entirely possible that's exactly why your DOCSIS 2.0 modem will stop working...
    @OzPeter said:
    That Comcast processes my web feeds to the point that they can inject whatever they want (in this case the pop-up was generated by an injected javascript method)

    That's the WTF right there. Stick to that.



  •  First of all the discussion about whether or not this would violate your privacy is moot - it violated several currently still working US regulations about net neutrality (quotation marks) and content delivery. I write currently because there are quite a few trials still going on about this, but for now you should totally report this behaviour, should give Comcast a nice fine.

     Secondly I would love to see a site break because the JavaScript-Variable used by Comcast is already defined on the website. Some poor low-rent coder will get your bug report and will be driven to alcoholism by it.



  • @locallunatic said:

    @TDWTF123 said:

    @OzPeter said:
    The proxy server parsed the HTTP stream and (where required) injected their alert script into the stream (and logged when the user had cleared the alert from their screen - I only saw the alert twice in the last week or so)
    OK. What's wrong with them doing that? Is it better if instead of doing that they don't serve the page at all, but instead serve a completely different one?

    Very yes they should be pointing you to a different page.  One that tells you that it is a different page and why.  You seem to have a different outlook on the MITM attack (yes it is an attack even if not a damaging one) so instead lets point out that they are inserting javascript to display their thing.  That means it won't display at all for those who either disable javascript or only allow it from specified domains.

    +1 to that.

    Also what's up with this?

    You may visit  <a href="#" onClick="document.location.href='/{UID}/aupm/notify.do?dispatch=ackBulletinRedirectSleep&redirectName=mydevicealert'">http://mydeviceinfo.comcast.net</a>
    Ok, I suppose it's a way to avoid having to specify either http:// or https// inside the href attribute.


  • Discourse touched me in a no-no place

    @fire2k said:

    I would love to see a site break because the JavaScript-Variable used by Comcast is already defined on the website. Some poor low-rent coder will get your bug report and will be driven to alcoholism by it.
    What about Comcast's own site?



  •  Aww I saw blakeyrat and hope he returned, turns out it's only a signature guy blakeyrat. :((



  • @Zecc said:

    Ok, I suppose it's a way to avoid having to specify either http:// or https// inside the href attribute.
    You can avoid that by using <a href="//server.tld/whatever">.



  • @Dogsworth said:

    How is that even legal? They couldn't think of a better channel to relay that information to you? Comcast is very special.

    The comments made on the Google case suggest wiretapping is legal if it is required for normal business. Google is accused of using the email content to build ad profiles of both Gmail and non-Gmail users, which is why the case has not been thrown out of court.



    1. I'd be really pissed if Comcast decided to add content to a web page requested from a site other than Comcast. Like, REALLY pissed. I'd look carefully at their terms of service, to see if anywhere they say they might do that. If not, send a strongly worded letter.

    2. Take what comcast says with a grain of salt. Several times now, I've been "informed" that my cable service will terminate if I don't get a cable box (with the requisite fees, of course); but I'm still going strong. I have just minimal cable (the cheapest cable I can get) and that might have something to do with it.


      If it were me, I'd just wait them out; then when (if) my internet service goes down, call them and require them to come out and fix it. If they tell you you need a new modem and that you were told that, feign ignorance. See what hoops you can make them go through to remain a customer of theirs. There's always other ISPs to go through.


  • @DrPepper said:

    1) I'd be really pissed if Comcast decided to add content to a web page requested from a site other than Comcast. Like, REALLY pissed. I'd look carefully at their terms of service, to see if anywhere they say they might do that. If not, send a strongly worded letter.

    2) Take what comcast says with a grain of salt. Several times now, I've been "informed" that my cable service will terminate if I don't get a cable box (with the requisite fees, of course); but I'm still going strong. I have just minimal cable (the cheapest cable I can get) and that might have something to do with it.

    If it were me, I'd just wait them out; then when (if) my internet service goes down, call them and require them to come out and fix it. If they tell you you need a new modem and that you were told that, feign ignorance. See what hoops you can make them go through to remain a customer of theirs. There's always other ISPs to go through.


    Or, you could not be a cheap asshole and just upgrade the damn modem.

    Seriously, I'm having trouble figuring out exactly how Comcast are the bad guys here. They're trying to upgrade their network. Something that everyone in the US agrees ought to be a major priority so that we can have a better, more robust, and more extensive broadband infrastructure. And OP is obstructing that and potentially wrecking the service of every other customer. If I was his neighbor and found out that he's part of the reason I'm stuck with < 40MBit/s dl speeds when people in Korea and Japan are getting 1GBit/s you can bet your happy ass I'd lead a mob with torches and pitchforks to his door.



  • @fire2k said:

      Secondly I would love to see a site break because the JavaScript-Variable used by Comcast is already defined on the website. Some poor low-rent coder will get your bug report and will be driven to alcoholism by it.

     

     

    And that's exactly what happens to us.  And of course they define all sorts of names/classes like Base64 and since it injects after our code it will happily replace our variables and classes.  Then our users spend an hour working on a complex form on our site and lose all of their work because Base64 is no longer what our code expects it to be.  And yes, I'm one of the guys who debugs that stuff!

    Fortunately, we started using our own namespace, defining all of our classes as Foo.Whatever where Foo is our company name and is unique enough that I doubt anyone would use it.  That helped a lot.

     

     


  • Considered Harmful

    @NatmanZ8 said:

    @fire2k said:

      Secondly I would love to see a site break because the JavaScript-Variable used by Comcast is already defined on the website. Some poor low-rent coder will get your bug report and will be driven to alcoholism by it.

     

     

    And that's exactly what happens to us.  And of course they define all sorts of names/classes like Base64 and since it injects after our code it will happily replace our variables and classes.  Then our users spend an hour working on a complex form on our site and lose all of their work because Base64 is no longer what our code expects it to be.  And yes, I'm one of the guys who debugs that stuff!

    Fortunately, we started using our own namespace, defining all of our classes as Foo.Whatever where Foo is our company name and is unique enough that I doubt anyone would use it.  That helped a lot.

     

     

    This isn't a hard problem to solve. Use an IIFE so you don't add anything to the global scope.

    (function(){
        var comcastAlert = whatevs;
    }());
    


  • @Snooder said:

    Or, you could not be a cheap asshole and just upgrade the damn modem.
    if there was any actual benefit to replacing the modem then I would agree with that.  However, there are some problems with your assumptions. @Snooder said:
    They're trying to upgrade their network. Something that everyone in the US agrees ought to be a major priority so that we can have a better, more robust, and more extensive broadband infrastructure.
    You misspelled expensive. @Snooder said:
    And OP is obstructing that and potentially wrecking the service of every other customer. If I was his neighbor and found out that he's part of the reason I'm stuck with < 40MBit/s dl speeds when people in Korea and Japan are getting 1GBit/s you can bet your happy ass I'd lead a mob with torches and pitchforks to his door.
    If you really think that Comcast is a bunch of nice guys who just want to make the Internet better, you've got some serious problems with reality. Whatever Comcast's reasons might be, I can guarantee that giving people faster, better Internet is NOT one of them.  And even if everyone upgrades their modem, do you really think that Comcast, or any other member of the broadband oligopoly is going to give you gigabit speed at a reasonable price and without restrictions that make it useless (e.g., monthly data caps that you'll now exceed in a day with your new gigabit speed).They might do it in the couple of cities where Google is claiming that they are going to roll out gigabit fiber, but the other 99.9% of the country is shit out of luck.

    And none of that changes the fact that injecting content into a page requested from a non-Comcast website is just plain wrong.


  • Discourse touched me in a no-no place

    @Snooder said:

    I'd lead a mob with torches and pitchforks to his door.
    Just throw a horses head through his window.


Log in to reply