What is Comcast/Xfinity WiFi Code Injection Doing?

I recently used Comcast aka Xfinity Wifi and saw some strange popups in the lower right hand corner caused by JavaScript injected into the page I visited because it was not over https. I read about it at arstechnica.com and pcworld.com and it seems to have started recently.





So I ask: what is Comcast doing? So I captured some code and network traffic and analyze it a bit. I captured two JavaScript files in my browser by visiting a page without https. They are posted here after running jsbeautifier on them: GitHub GIST

First lets talk about how they put the javascript on the page I visited. Here is how the code looks normally:

image00

 

And now after the injection:

 

image01

 

So it appears only one line was added but the other included were out of order… which would imply they parsed the entire DOM and then rendered the HTML again. What else did they extract from my page view? Studying the network traffic also shows something was sent back to Comcast with data in the GET request. there was an empty response but it states it was sent with a PorchLight/7.0.1406.154 Server which doesn’t seem to have results on Google.

image02

 

So what is the code doing? One function that does not have it’s name erased is “sendAccounting” which is shown here. I think the “(f + u)” is hilarious given the context.

function sendAccounting(o, t) {
o = o || 1;
t = t || 0;
var e = new Image;
11 == t || C && 6 == t || (e.src = "http://162.150.17.229:80/" + o + "-142/30a69d42-6360-441c-9a87-bc2bddfd9ac4_cb32:3299:871f:5b80:5d0f::1/" + t + "." + (f + u));
return e
}

This code is called here:

t.json._accounting = {
                stopTime: c,
                sendAccounting: sendAccounting,
                uri: "http://162.150.17.229/static",
                check: o("%TOPURLMATCH%"),
                direct: !1
            }

Searching for “%TOPURLMATCH%” this code seems to be referenced on the web in a Toms Hardware post which has the IP 162.150.17.217 which is very similar to the one I am seeing 162.150.17.229. “Comcast Cable” owns these IPs and the reverse DNS is xfwfpl-nwca-03.sys.comcast.net and xfwfpl-nwca-05.sys.comcast.net. The date is this post is April 30, 2014 which means this has been going on since at least then.

Next looking at the popup code it seems to filter out two domains from this popup. Why?

pe = "*.groupon.com/* *.adobe.com/*",

It seems blocking the subnet 162.150.17.x will prevent Comcast from launching these scripts from working.





What are the potential of these scripts? Why is this bad?

A long time ago I worked on a project to demonstrate how bad JavaScript injection can be called GravityScript https://code.google.com/p/gravityscript/ which is a general version of Google Gravity. This showcases that a small line of JavaScript code can touch everything on the page. This is the same principle behind Google AdSense. A small snippet of code is inserted on the page that analyzes the content by reading the text and renders an advertisement specific to that content.

Comcast is the ISP so they already know what sites people are visiting. What this gives Comcast is the ability to track individual user’s browsing habits instead of being confused by seeing an entire household’s network traffic as one user. Beyond all the traffic Comcast can already observe JavaScript in the browser gives them the ability to see where your mouse is, what your screen resolution is, what browser you are using, and what plugins you have installed.




5 Comments

  1. I’ve never seen an injection from Comcast before, and it’s been ten years now. Maybe it just hasn’t hit my area yet, so I’ll be on the lookout.

  2. I noticed these ads myself when I started playing with Xfinity free wifi hotspots back in the Spring or Summer of this year. I had the same uncomfortable feeling as when I’ve experienced such javascript/ads injection on other free hotspot providers, like in airports or on planes.

    3 ways I use to workaround this issue, which also helps with other such wifi hotspots (and with other security issues in general):

    1) As stated before, using HTTPS connections whenever possible.

    2) Use a VPN service (often about $10/month) which encrypts your data between your machine and the VPN server out there on the ‘net you’re using (and paying for).

    3) Always a good idea for various reasons is to use the NoScript plugin with Firefox, which lets you selectively enable scripting on a per server/IP basis. This won’t stop the injection per se, but it will allow you to not execute the injected javascript, rendering it useless. I’ve used this to effectively ignore the injected Xfinity ads.

    BTW, when I’ve noticed these ad injections myself on Xfinity wifi and noticed the IP address (easily visible with NoScript), they were much different than the subnet mentioned in this article. Shoot, I didn’t take notes, but I definitely remember the first quad was 2 digits, and while there was no natural reverse DNS for it (I checked), I did a whois on the IP itself and confirmed it was owned by Comcast.

    -Jay

Comments are closed.