Comcast Is Injecting 400+ Lines of JavaScript into Web Pages

[jagdtigger]

Quote

A Comcast subscriber has taken to the company’s support forum to warn others of a despicable practice: intercepting web pages and then altering them by filling them with hundreds of lines of code. More specifically, Comcast’s JavaScript is generating pop-ups that encourage members to buy a new modem even though upgrading is unnecessary.

https://www.hardocp.com/news/2017/12/10/comcast_injecting_400_lines_javascript_into_web_pages

 

Am i he only one who thinks this kind of thing is a MITM attack and it should be considered illegal? Anyway its both disgusting and alarming at the same time, lets hope this wont became a norm....

[AlwaysFSX]

I wouldn't be surprised if this wasn't illegal, but it really should be. You're basically altering a product in transit.

[Bananasplit_00]

guess someone is starting out their celebration a bit early...

[NumLock21]

Looking at their forum thread, one would expect it to have tons of replies and concerns about this practice. Instead it's just one person talking to himself and then a official employee coming in and then marking its own answer as solved. No wonder they're able to do this type of stuff cause the majority of the users have no idea what that OP is talking about.

https://forums.xfinity.com/t5/Customer-Service/Are-you-aware-Comcast-is-injecting-400-lines-of-JavaScript-into/m-p/3013257#M142756

[Selah]

This is fucking wild.

 

bham3dman wrote:

> I just learned of this dispicable Comcast practice today and I am livid.  Comcast began injecting 400+ lines of JavaScript code in to pages I requested on the internet so that when the browser renders the web page,

 

[JL] This is our web notification system, documented in RFC 6108 https://tools.ietf.org/html/rfc6108, which has been in place for many years now. It presents an overlay service message on non-TLS-based HTTP sessions. If you click the X box or otherwise acknowledge the notice it should immediately go away. If that is not the case let me know and we'll have a look at what may be happening.

 

> the JavaScript generates a pop up trying to up-sell me a new modem. 

 

[JL] We are not trying to sell you a new one. If you own your modem we're informing you that it is either end of life (EOL) or that you are about to get a speed upgrade that the modem will be unable to deliver.

 

> When you call the number in the popup, they're quick to tell you that you need a new modem, which in my case is not true.  I later verified with level-2 support that my modem is pefectly fine and I don't need to upgrade. 

 

[JL] You would not get the modem if this were the case. What kind of device (make/model) do you have and what speed tier?

 

> As deceptive as that is however, my major complaint is that Comcast is intercepting web pages and then altering them by filling them with hundreds of lines of code.  Even worse is that I've had to speak to 7 different supervisors from all areas of Comcast and they have either never heard of the process, or those who were aware of the practice don't know how to turn it off.  

 

[JL] That is a failure on our end we'll have to take a look at. This should show up in your account when they look at it.

 

> Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code. 

 

[JL] The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder? 

 

JL
Internet Services

 

"this notice should immediately go away even though we're injecting it into every webpage you view"

[Beskamir]

Good thing stuff like https://noscript.net/ exist. Although this is gonna suck for the tech illiterates.

[mr moose]

What was all that stuff about NN and how it isn't necessary?   I this is true then you need it more than ever, and you need it to be enforced by one impartial authority.

 

EDIT: not that there is much "if" about it, they admit to doing it.  Somehow they think if you don't respond to emails or txts then this gives them the right to alter your web traffic.

[Tellos]

Knowing what I know on the subject and of the company I dont buy that Comcast is doing this cause it makes zero sense. Not a single thing is gained from it. Claims it says to buy a new modem, if your renting one you'd jsut swapp it so that makes zero sense if you purchased one and it's too old I dont see hwo a pop up would occure they would e-mail you or mention it in a phone call.

[Drak3]

2 minutes ago, Tellos said:

Knowing what I know on the subject and of the company I dont buy that Comcast is doing this cause it makes zero sense. Not a single thing is gained from it. Claims it says to buy a new modem, if your renting one you'd jsut swapp it so that makes zero sense if you purchased one and it's too old I dont see hwo a pop up would occure they would e-mail you or mention it in a phone call.

ISPs also wouldn't inject code into other websites. They'd push the notification as its own page to your browser and load the requested page once acknowledged.

[Tellos]

@Drak3 Yeah also injecting code into a site assumes your using that code. java is while populare NOT universal. So it'd cause problosm to users not using Java. So why are we not seeing this wider? i think he jsut has malware does not realize it and rathr blame comcast. Also I knwo of times where people have seen fake pop ups claiming to be comcast fidning "malware" and to call a none comcast number or to click a link.

[Eaglerino]

2 hours ago, mr moose said:

What was all that stuff about NN and how it isn't necessary?   I this is true then you need it more than ever, and you need it to be enforced by one impartial authority.

 

EDIT: not that there is much "if" about it, they admit to doing it.  Somehow they think if you don't respond to emails or txts then this gives them the right to alter your web traffic.

lol what impartial authority? That's such an oxymoron

 

I have a feeling Comcast was going to do this regardless. Comcast just sucks

[Bit_Guardian]

1 hour ago, Tellos said:

@Drak3 Yeah also injecting code into a site assumes your using that code. java is while populare NOT universal. So it'd cause problosm to users not using Java. So why are we not seeing this wider? i think he jsut has malware does not realize it and rathr blame comcast. Also I knwo of times where people have seen fake pop ups claiming to be comcast fidning "malware" and to call a none comcast number or to click a link.

It's JavaScript, not Java, and that IS universal in browsers and websites these days. Browsers don't interpret other languages. There is Web-GL, but it's still part of a Javascript library set.

[Tellos]

@Bit_Guardian Either way doesint fit Comcasts MO for how they do things. 

[Matu20]

Just close your eyes, it's fine.

[Bit_Guardian]

20 minutes ago, Tellos said:

@Bit_Guardian Either way doesint fit Comcasts MO for how they do things. 

It most certainly does. They already used your traffic patterns to sell advertising advice to Google and others. This is one small step further.

[Tellos]

@Bit_Guardian Um no they do not, MS Windows 10 does! Google tracks it already, and your phone service if you use android does too. Comcast has stated it will not and does not sell User Data. also wheres your damn proof? I love how everyone throws it at the ISP but not google who blatantly admits it tracks your search data fairly normally. Oh and heres a PC world article.

 

https://www.pcworld.com/article/2986988/privacy/the-price-of-free-how-apple-facebook-microsoft-and-google-sell-you-to-advertisers.html

 

Huh no ISP it's as if they dont WANT to buy it from your ISP or the ISP isint selling it.

[jagdtigger]

10 minutes ago, Tellos said:

@Bit_Guardian Um no they do not, MS Windows 10 does! Google tracks it already, and your phone service if you use android does too. Comcast has stated it will not and does not sell User Data. also wheres your damn proof? I love how everyone throws it at the ISP but not google who blatantly admits it tracks your search data fairly normally. Oh and heres a PC world article.

 

https://www.pcworld.com/article/2986988/privacy/the-price-of-free-how-apple-facebook-microsoft-and-google-sell-you-to-advertisers.html

 

Huh no ISP it's as if they dont WANT to buy it from your ISP or the ISP isint selling it.

There is a few things you forget, first up you pay for your ISP so there is no excuse to sell your data, google on the other hand offers "free" service and in turn it collects data to offer you targeted ads. And at least google admits it(its still isnt alright but at least they come forward and admit it) unlike some other companies... (cough, MS, cough)

[LAwLz]

I'd just like to add that NN did not, and would not stop this. Comcast were allowed to inject code into website traffic under the NN rules too, as long as they did not single out specific websites or services for the injections.

So under the NN rules they were allowed to inject ads for their own TV service to random websites, or all websites. However, they would not be allowed to build a system for detecting Netflix website visits and inject the ad only to those users.

 

This is just Comcast showing what a terrible company they are.

 

3 hours ago, Tellos said:

Knowing what I know on the subject and of the company I dont buy that Comcast is doing this cause it makes zero sense. Not a single thing is gained from it. Claims it says to buy a new modem, if your renting one you'd jsut swapp it so that makes zero sense if you purchased one and it's too old I dont see hwo a pop up would occure they would e-mail you or mention it in a phone call.

A Comcast employee confirmed that they are doing it in the thread.

They even link to the RFC describing how they are doing it.

 

3 hours ago, Drak3 said:

ISPs also wouldn't inject code into other websites. They'd push the notification as its own page to your browser and load the requested page once acknowledged.

Ehm... How do you suggest they push a notification as their own website without injecting code into other websites?

The only way of doing what you're describing that I can think of would be DNS-hijacking, which is far more complicated, will not work against anyone who has changed their DNS and is far more intrusive to the users.

 

3 hours ago, Tellos said:

@Drak3 Yeah also injecting code into a site assumes your using that code. java is while populare NOT universal. So it'd cause problosm to users not using Java. So why are we not seeing this wider? i think he jsut has malware does not realize it and rathr blame comcast. Also I knwo of times where people have seen fake pop ups claiming to be comcast fidning "malware" and to call a none comcast number or to click a link.

It's not Java, it's Javascript.

[Tellos]

@LAwLz I work for them too and am telling you otherwise.

[Castdeath97]

3 hours ago, Tellos said:

@Drak3 Yeah also injecting code into a site assumes your using that code. java is while populare NOT universal. So it'd cause problosm to users not using Java. So why are we not seeing this wider? i think he jsut has malware does not realize it and rathr blame comcast. Also I knwo of times where people have seen fake pop ups claiming to be comcast fidning "malware" and to call a none comcast number or to click a link.

That's Javascript! They share the "java" word but they aren't even remotely related. JavaScript is named like this because of the C Style syntax. And Javascript is waaay more common than you think it is....

[LAwLz]

10 minutes ago, Tellos said:

@LAwLz I work for them too and am telling you otherwise.

Why am I not surprised that the one person who defends this despicable behavior is being paid by Comcast...

 

1) What do you work as? Since you don't even know the difference between Java and JavaScript I am fairly sure it is not some technical position dealing with back-end and that type of things.

2) If Comcast is not doing this, then why did they write an RFC which describes this exact behavior in quite high detail?

 

Edit:

3) Why are all the assets in the script loaded from Comcast's servers and why can I, who is not infected with this supposed malware you're blaming, access them?

[Tellos]

@LAwLz technical support, and I know the differance but he was not specific. Second if one flub means your going to dismiss my entire peice of info fine then there no need to continue your sticking to a confirmation bias where only those saying what you beleive is real is the case.  Note I didint really get into replies on it cause it was corrected so I was fine with it you and others still harp cause it's all you have. You have no data PROVING the company or any ISP IS doing this to create pop up adds as described in the link. And do we know They wrote it? since I doubt that guy if he yanked it from Comcasts systems works for the company anymore after. 

[Sfekke]

If they start celebrating prematurely they just shot in their own foot, this might cause netneutrality to be an even more heated discussion.

The more shady things the ISP's start doing while trying to prove they can regulate their own system, the more people will start standing up for an at this point basic human called the open/free internet.

[Tellos]

Anyways if you guys wanna dismiss me fine I'm not the company PR guy so whatever I'll still go back to the office monday and back to work either way. 

[Tellos]

@Sfekke this isint to do with NN if you were reading.