{"id":419,"date":"2014-10-26T20:53:40","date_gmt":"2014-10-26T20:53:40","guid":{"rendered":"http:\/\/josephpcohen.com\/w\/?p=419"},"modified":"2022-04-10T18:10:27","modified_gmt":"2022-04-10T22:10:27","slug":"what-is-comcast-xfinity-wifi-code-injection-doing","status":"publish","type":"post","link":"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/","title":{"rendered":"What is Comcast\/Xfinity WiFi Code Injection Doing?"},"content":{"rendered":"

I recently used Comcast aka Xfinity Wifi and saw some strange popups in the lower right hand corner caused by JavaScript injected into the page I visited because it was not over https. I read about it at\u00a0arstechnica.com<\/a>\u00a0and pcworld.com<\/a>\u00a0and it seems to have started recently.
\n<\/p>\n

So I ask: what is Comcast doing? So I captured some code and network traffic and analyze it a bit. I captured two JavaScript files in my browser by visiting a page without https. They are posted here after running jsbeautifier on them: GitHub GIST<\/a><\/p>\n

First lets talk about how they put the javascript on the page I visited. Here is how the code looks normally:<\/p>\n

\"image00\"<\/a><\/p>\n

 <\/p>\n

And now after the injection:<\/p>\n

 <\/p>\n

\"image01\"<\/a><\/p>\n

 <\/p>\n

So it appears only one line was added but the other included were out of order… which would imply they parsed the entire DOM and then rendered the HTML again. What else did they extract from my page view? Studying the network traffic also shows something was sent back to Comcast with data in the GET request. there was an empty response but it states it was sent with a PorchLight\/7.0.1406.154 Server which doesn’t seem to have results on Google.<\/p>\n

\"image02\"<\/a><\/p>\n

 <\/p>\n

So what is the code doing? One function that does not have it’s name erased is “sendAccounting” which is shown here. I think the “(f + u)” is hilarious given the context.<\/p>\n

function sendAccounting(o, t) {\r\no = o || 1;\r\nt = t || 0;\r\nvar e = new Image;\r\n11 == t || C && 6 == t || (e.src = \"http:\/\/162.150.17.229:80\/\" + o + \"-142\/30a69d42-6360-441c-9a87-bc2bddfd9ac4_cb32:3299:871f:5b80:5d0f::1\/\" + t + \".\" + (f + u));\r\nreturn e\r\n}\r\n<\/pre>\n
This code is called here:<\/p>\n
t.json._accounting = {\r\n                stopTime: c,\r\n                sendAccounting: sendAccounting,\r\n                uri: \"http:\/\/162.150.17.229\/static\",\r\n                check: o(\"%TOPURLMATCH%\"),\r\n                direct: !1\r\n            }\r\n<\/pre>\n
Searching for “%TOPURLMATCH%” this code seems to be referenced on the web in a Toms Hardware<\/a> post which has the IP 162.150.17.217 which is very similar to the one I am seeing 162.150.17.229. “Comcast Cable” owns these IPs and the reverse DNS is xfwfpl-nwca-03.sys.comcast.net and xfwfpl-nwca-05.sys.comcast.net. The date is this post is April 30, 2014 which means this has been going on since at least then.<\/p>\n
Next looking at the popup code it seems to filter out two domains from this popup. Why?<\/p>\n
pe = \"*.groupon.com\/* *.adobe.com\/*\",\r\n<\/pre>\n
It seems blocking the subnet 162.150.17.x will prevent Comcast from launching these scripts from working.<\/p>\n
 <\/p>\n
What are the potential of these scripts? Why is this bad?<\/h3>\n
A long time ago I worked on a project to demonstrate how bad JavaScript injection can be called GravityScript https:\/\/code.google.com\/p\/gravityscript\/<\/a> which is a general version of Google Gravity<\/a>. This showcases that a small line of JavaScript code can touch everything on the page. This is the same principle behind Google AdSense. A small snippet of code is inserted on the page that analyzes the content by reading the text and renders an advertisement specific to that content.<\/p>\n
Comcast is the ISP so they already know what sites people are visiting. What this gives Comcast is the ability to track individual user’s browsing habits instead of being confused by seeing an entire household’s network traffic as one user. Beyond all the traffic Comcast can already observe JavaScript in the browser gives them the ability to see where your mouse is, what your screen resolution is, what browser you are using, and what plugins you have installed.<\/p>\n","protected":false},"excerpt":{"rendered":"
I recently used Comcast aka Xfinity Wifi and saw some strange popups in the lower right hand corner caused by JavaScript injected into the page […]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":445,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"yoast_head":"\nWhat is Comcast\/Xfinity WiFi Code Injection Doing? - Joseph Paul Cohen PhD<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is Comcast\/Xfinity WiFi Code Injection Doing? - Joseph Paul Cohen PhD\" \/>\n<meta property=\"og:description\" content=\"I recently used Comcast aka Xfinity Wifi and saw some strange popups in the lower right hand corner caused by JavaScript injected into the page [...]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/\" \/>\n<meta property=\"og:site_name\" content=\"Joseph Paul Cohen PhD\" \/>\n<meta property=\"article:published_time\" content=\"2014-10-26T20:53:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-04-10T22:10:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/josephpcohen.com\/w\/wp-content\/uploads\/2014\/10\/Screen-Shot-2014-10-28-at-8.39.51-PM.png\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"146\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Joseph Paul Cohen\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Joseph Paul Cohen\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/\"},\"author\":{\"name\":\"Joseph Paul Cohen\",\"@id\":\"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/e25d0d5746952220f35d182ca7aa8684\"},\"headline\":\"What is Comcast\/Xfinity WiFi Code Injection Doing?\",\"datePublished\":\"2014-10-26T20:53:40+00:00\",\"dateModified\":\"2022-04-10T22:10:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/\"},\"wordCount\":521,\"publisher\":{\"@id\":\"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/e25d0d5746952220f35d182ca7aa8684\"},\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/\",\"url\":\"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/\",\"name\":\"What is Comcast\/Xfinity WiFi Code Injection Doing? - Joseph Paul Cohen PhD\",\"isPartOf\":{\"@id\":\"https:\/\/josephpcohen.com\/w\/#website\"},\"datePublished\":\"2014-10-26T20:53:40+00:00\",\"dateModified\":\"2022-04-10T22:10:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/josephpcohen.com\/w\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is Comcast\/Xfinity WiFi Code Injection Doing?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/josephpcohen.com\/w\/#website\",\"url\":\"https:\/\/josephpcohen.com\/w\/\",\"name\":\"Joseph Paul Cohen PhD\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/e25d0d5746952220f35d182ca7aa8684\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/josephpcohen.com\/w\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/e25d0d5746952220f35d182ca7aa8684\",\"name\":\"Joseph Paul Cohen\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a810b57939e75247f570c9094e7bd16e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a810b57939e75247f570c9094e7bd16e?s=96&d=mm&r=g\",\"caption\":\"Joseph Paul Cohen\"},\"logo\":{\"@id\":\"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is Comcast\/Xfinity WiFi Code Injection Doing? - Joseph Paul Cohen PhD","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/","og_locale":"en_US","og_type":"article","og_title":"What is Comcast\/Xfinity WiFi Code Injection Doing? - Joseph Paul Cohen PhD","og_description":"I recently used Comcast aka Xfinity Wifi and saw some strange popups in the lower right hand corner caused by JavaScript injected into the page [...]","og_url":"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/","og_site_name":"Joseph Paul Cohen PhD","article_published_time":"2014-10-26T20:53:40+00:00","article_modified_time":"2022-04-10T22:10:27+00:00","og_image":[{"width":400,"height":146,"url":"https:\/\/josephpcohen.com\/w\/wp-content\/uploads\/2014\/10\/Screen-Shot-2014-10-28-at-8.39.51-PM.png","type":"image\/png"}],"author":"Joseph Paul Cohen","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Joseph Paul Cohen","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/#article","isPartOf":{"@id":"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/"},"author":{"name":"Joseph Paul Cohen","@id":"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/e25d0d5746952220f35d182ca7aa8684"},"headline":"What is Comcast\/Xfinity WiFi Code Injection Doing?","datePublished":"2014-10-26T20:53:40+00:00","dateModified":"2022-04-10T22:10:27+00:00","mainEntityOfPage":{"@id":"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/"},"wordCount":521,"publisher":{"@id":"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/e25d0d5746952220f35d182ca7aa8684"},"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/","url":"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/","name":"What is Comcast\/Xfinity WiFi Code Injection Doing? - Joseph Paul Cohen PhD","isPartOf":{"@id":"https:\/\/josephpcohen.com\/w\/#website"},"datePublished":"2014-10-26T20:53:40+00:00","dateModified":"2022-04-10T22:10:27+00:00","breadcrumb":{"@id":"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/josephpcohen.com\/w\/what-is-comcast-xfinity-wifi-code-injection-doing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/josephpcohen.com\/w\/"},{"@type":"ListItem","position":2,"name":"What is Comcast\/Xfinity WiFi Code Injection Doing?"}]},{"@type":"WebSite","@id":"https:\/\/josephpcohen.com\/w\/#website","url":"https:\/\/josephpcohen.com\/w\/","name":"Joseph Paul Cohen PhD","description":"","publisher":{"@id":"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/e25d0d5746952220f35d182ca7aa8684"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/josephpcohen.com\/w\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/e25d0d5746952220f35d182ca7aa8684","name":"Joseph Paul Cohen","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/a810b57939e75247f570c9094e7bd16e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a810b57939e75247f570c9094e7bd16e?s=96&d=mm&r=g","caption":"Joseph Paul Cohen"},"logo":{"@id":"https:\/\/josephpcohen.com\/w\/#\/schema\/person\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/posts\/419"}],"collection":[{"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/comments?post=419"}],"version-history":[{"count":34,"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/posts\/419\/revisions"}],"predecessor-version":[{"id":1476,"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/posts\/419\/revisions\/1476"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/media\/445"}],"wp:attachment":[{"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/media?parent=419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/categories?post=419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/josephpcohen.com\/w\/wp-json\/wp\/v2\/tags?post=419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}