Overclock.net banner

[HardOCP] Comcast Is Injecting 400+ Lines of JavaScript into Web Pages

7K views 60 replies 39 participants last post by  JackCY 
#1 ·
Quote:
A Comcast subscriber has taken to the company's support forum to warn others of a despicable practice: intercepting web pages and then altering them by filling them with hundreds of lines of code. More specifically, Comcast's JavaScript is generating pop-ups that encourage members to buy a new modem even though upgrading is unnecessary.
Quote:
Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code. This is not like targeted advertisements when I visit websites with ads (which is perfectly acceptable); this is a direct manipulation of the original source code of the website. This is completely unacceptable to me, and what's worse is that Comcast provides no option to opt out of this horrific practice.
Source.

This should be considered a man in the middle attack and thus be illegal. It's also counterproductive as it undermines the trust in the system.
 
#3 ·
Is anyone really surprised by this? Comcast is probably the worst ISP/media organization in the country. They are corporate fascists through and through.
 
#6 ·
I love that they claim it's a notification that the modem is at end of life, or unable to support a pending upgrade to the line, with absolutely zero explanation as to why it was displayed to a user whose modem is not at end of life with no pending upgrade.

Even the linked page on this "feature" makes no mention of it being used for this purpose, it states that the purpose is to notify end users in cases where their systems have displayed signs of being infected with malware:
Quote:
Originally Posted by https://tools.ietf.org/html/rfc6108

11. Debating the Necessity of Such a Critical Notification System

Some members of the community may question whether it is ever, under
any circumstances, acceptable to modify Internet content in order to
provide critical service notification concerning malware infection -
even in the smallest of ways, even if openly and transparently
documented, even if thoroughly tested, and even if for the best of
motivations. It is important that anyone with such concerns
recognize that this document is by no means the first to propose
this, particularly as a tactic to combat a security problem, and in
fact simply leverages previous work in the IETF, such as [RFC3507].
Such concerned parties should also study the many organizations using
ICAP and the many software systems that have implemented ICAP.

In addition, concerned members of the community should review
Section 1, which describes the fact that this is a common feature of
DPI systems, made by DPI vendors and many, if not most, major
networking equipment vendors. As described herein, the authors of
this document are motivated to AVOID the need for widespread,
ubiquitous deployment of DPI, via the use of both open source
software and open protocols, and are further motivated to
transparently describe the details of how such a system functions,
what it IS intended to do, what it IS NOT intended to do, and
purposes for which it WILL NOT be used.
 
#8 ·
only posting so to be sure folks see it:
https://forums.xfinity.com/t5/Customer-Service/Are-you-aware-Comcast-is-injecting-400-lines-of-JavaScript-into/td-p/3009551
Quote:
Best Answer
jlivingood
jlivingood Official Employee
‎12-08-2017 04:48 PM
Re: Are you aware? Comcast is injecting 400+ lines of JavaScript into web pages.
bham3dman wrote:
> I just learned of this dispicable Comcast practice today and I am livid. Comcast began injecting 400+ lines of JavaScript code in to pages I requested on the internet so that when the browser renders the web page,

[JL] This is our web notification system, documented in RFC 6108 https://tools.ietf.org/html/rfc6108, which has been in place for many years now. It presents an overlay service message on non-TLS-based HTTP sessions. If you click the X box or otherwise acknowledge the notice it should immediately go away. If that is not the case let me know and we'll have a look at what may be happening.

> the JavaScript generates a pop up trying to up-sell me a new modem.

[JL] We are not trying to sell you a new one. If you own your modem we're informing you that it is either end of life (EOL) or that you are about to get a speed upgrade that the modem will be unable to deliver.

> When you call the number in the popup, they're quick to tell you that you need a new modem, which in my case is not true. I later verified with level-2 support that my modem is pefectly fine and I don't need to upgrade.

[JL] You would not get the modem if this were the case. What kind of device (make/model) do you have and what speed tier?

> As deceptive as that is however, my major complaint is that Comcast is intercepting web pages and then altering them by filling them with hundreds of lines of code. Even worse is that I've had to speak to 7 different supervisors from all areas of Comcast and they have either never heard of the process, or those who were aware of the practice don't know how to turn it off.

[JL] That is a failure on our end we'll have to take a look at. This should show up in your account when they look at it.

> Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code.

[JL] The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder?

JL
i'll leave up to you as to how much BS there is.
smile.gif
 
  • Rep+
Reactions: sumitlian
#9 ·
The real question is were they are doing this, I mean at what level. Is this something their router injects, is it something they alter as it passes through them to you, is it built into some software the give customers?

I always used my own router and modem with Comcast, would that prevent this from happening? (presuming its not done en route to the customer)
 
#10 ·
Quote:
Originally Posted by Zer0CoolX View Post

The real question is were they are doing this, I mean at what level. Is this something their router injects, is it something they alter as it passes through them to you, is it built into some software the give customers?

I always used my own router and modem with Comcast, would that prevent this from happening? (presuming its not done en route to the customer)
It would be done by modifying traffic as it passes through their network, routers will hijack sessions to notify of things like connection drops but it would be a terrible method of warning against something like a malware infection (which this was originally designed for).

Primarily because they'd need to implement traffic analysis on the router capable of detecting abnormalities, it would be more cost effective to simply keep it all upstream where they run traffic analysis already.
 
#12 ·
Comcast also does this to tell you you are close to or have gone over your data cap. I know because they did it to me after I started using Backblaze. A 1 GB connection that I cannot really use because of a pointless data cap.

It is wrong to inject messages into my web traffic instead of simply emailing me.
tongue.gif
 
#13 ·
The source for this thread is a bit sensational, at least the tone of the whole thing is, but the larger issue it brings up is important.

There have been rules about Net Neutrality for a lot longer than term has been around in popular use. Over the last several decades those rules have slowly been removed/changed one by one, with some appearing in favor of the consumer, but disproportionately in favor of the Corporation. Certain levels of privacy were always extended to the consumer, it used to be taboo to keep any "meta" data on customers.

In terms of what was kept and monitored it was MAC, IP, Online/Offline State, and if you wanted total data used. If the CPE aged out, or was going to EOL, you would perform a combination of e-mail, snail-mailed, or call to notify them. People even used to be concerned on how long DNS queries were retained, if at all. That said, looking at your customer's connections actively was really, always, a no-no; DPI was(is?) explicitly illegal without warrant.

Now major providers are logging every little thing they can, in extreme cases key-logging and DPI, to general snooping. Providers doing things like charging $5+ per month just to have "WiFi" enabled on their CPE and refusing to acknowledge that doing such a thing is one of the most egregious scams in consumer-IT.

tl:dr; We had protection before, it was stripped away, they are only continuing to do so, it will only get worse. Corporations don't function with a moral compass, they function via a financial compass, as such they will know no bounds.
 
#14 ·
so.... no mention of running NoScript and seeing if its passed through anyways? That would be the real kicker to how this system actually works.

Either way, it seems pretty obvious they are publicly trying to get you to ignore it as some sort of service message.

Id request the system be disabled on your account, and if they refuse, ask them to provide actual data regarding the system and why your request is being denied. Id go up the chain until you get a firm answer.
 
#16 ·
I've been patiently waiting for a new ISP to offer even a sliver of connection that I get through Comcast
Sadly i don't think it will ever happen
Pick your poison with big corp. anymore
I am at least thankful that I'm not stuck with Verizon for my internet.
Every time I'm without Comcast I dread not having the speed and reliability of the network, yet every time we get back together;
always some haphazard attempt at more money, more information, more ****atory

Truth is I can't live without her, and she can't live without me (us). The scandal may change, the romance WILL continue.
You can have my rights, but not my speed
rolleyes.gif
 
#17 ·
They do the same when you use their WiFi hotspot (I know I'm using your hotspot you don't have to tell me with random popups) so I can't say I'm surprised.

This has got to be the worst method to get official information across though. Even my grandparents assume all popups are scams.
 
#19 ·
Quote:
Originally Posted by Asmodian View Post

Comcast also does this to tell you you are close to or have gone over your data cap. I know because they did it to me after I started using Backblaze. A 1 GB connection that I cannot really use because of a pointless data cap.

It is wrong to inject messages into my web traffic instead of simply emailing me.
tongue.gif
I have not gotten anything like that but I've only gone over my datacap once. Not 100% sure if I actually have a datacap or not. I've had one month that I surpassed the datacap and Total Monthly Overage was still 0.

Still have no idea why the datacap is so low to start with. Comcast is still the only choice I have in my area if I want fast internet connection.
 
#20 ·
Quote:
Originally Posted by Revan654 View Post

I have not gotten anything like that but I've only gone over my datacap once. Not 100% sure if I actually have a datacap or not. I've had one month that I surpassed the datacap and Total Monthly Overage was still 0.

Still have no idea why the datacap is so low to start with. Comcast is still the only choice I have in my area if I want fast internet connection.
Comcast generally has a 1 terabyte cap.
 
#22 ·
Quote:
Originally Posted by mattliston View Post

so.... no mention of running NoScript and seeing if its passed through anyways? That would be the real kicker to how this system actually works.

Either way, it seems pretty obvious they are publicly trying to get you to ignore it as some sort of service message.

Id request the system be disabled on your account, and if they refuse, ask them to provide actual data regarding the system and why your request is being denied. Id go up the chain until you get a firm answer.
Its been a while since you called Comcast hasnt it? If you can wait the 15-20 mins to actually talk to a real person, then be put on hold and/or disconnected and retry 1-2 times, then get passed between depts and put on hold and/or disconnected again...by the time you get a person who can actually "help" you their recent mantra in places they have no competition is "Ok, dont use our service then...".

They know that a good portion of people have no option but to use their service, however they decide to provide it. They quite literally intentionally make the "customer service" experience terrible as they figure if 6-10 people calling give up, money saved. If 3/4 of those get fed up with the provided support and hang up...money saved. If that last person perseveres then they gave 1/10 people what they wanted and saved a ton of money providing s**t customer service. They know they have no need to appease people.

Even in places they have a competitor like Verizon, they know people are going to swap back and forth for the deals. For every person threatening to leave them, they are getting a new customer from Verizon. Your personal opinion of them isnt relevant in their business model.

Verizon plays games too, dont get me wrong (as do most other ISP's id imagine).

I think the best thing you can do now as a customer:
  • Get your own equipment
  • Limit your dependence on ISP's (use other email, cut your services down to only what you need, etc)
  • Nickle and dime them as much as you can stand (call on occasion and ask for a price cut or faster/more service for the same price) *
  • When available flip flop providers for the best deals. 1-2 years with one, then the other. Put it in your name, your wifes name, your kids name at college, etc.
* I did this once and went from 25Mbps to 150Mbps service for the same price. Another time we got some extra channels for like $10 less per month. You have to be cold blooded about it because they are hiking up the price every chance they get.

@mattliston good point about the script blockers. I cant speak to if it works but I cant see why not. I personally am using uMatrix and Adblock Plus. I have been using ABP for a long time, and just recently started using uMatrix and am wondering why I didnt much longer ago. Between having nothing and having both its like going from walking the streets of downtown Detroit after an apocalypse to...well any place in Canada?
 
#23 ·
Don't worry. Free market will fix it.

Bwahahaha
 
  • Rep+
Reactions: Jupitel
#25 ·
Some choices Comcast makes no sense, they offer you gig lines but you still have the same datacaps as everyone else. You would think paying a higher price would increase the datacap by atlease a TB. Even Verizon doesn't have such a low datacap, There's is 10 to 20TB based on the plan you pick(I wish Fios or even Google was a option in my area).

My area has some weird contract with another telephone company which has exclusive rights to area. Verizon wants to offer services in the area but there not letting them in for some reason. I have noticed Comcast is now offering gig lines in my area for 79.99 to 104. Which is basically same price I'm paying now for internet (I have 250 Down) (Which is robbery for this type of internet speeds if you ask me).

---

I went through my settings for first time in ages on my account, I didn't know how much tracking they were do. I opt out of everything. Thankfully VPN do exist and my router filters other things out.
 
#26 ·
Quote:
Originally Posted by bmgjet View Post

Waits for them to inject javascript bitcoin miner.
Wait? Probably already being done.
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top