This article was published on December 11, 2017

Comcast continues to inject its own code into websites you visit


Comcast continues to inject its own code into websites you visit

Comcast believes it’s acceptable to inject hundreds of lines of code into any web page you visit if it thinks you’re in need of a hardware upgrade. And even if you don’t need an upgrade, you’re wrong.

A user recently took to the company’s forums to complain of its practice of running its own code on webpages customers visit in order to prompt them with special Comcast messages.

Posting under the name “bham3dman” on the company’s official forum, the user stated:

Comcast began injecting 400+ lines of JavaScript code in to pages I requested on the internet so that when the browser renders the web page, the JavaScript generates a pop up trying to up-sell me a new modem. When you call the number in the popup, they’re quick to tell you that you need a new modem, which in my case is not true. I later verified with level-2 support that my modem is perfectly fine and I don’t need to upgrade.

The customer goes on to state they took the time to speak with seven different company supervisors, none of which could “turn it off.”

Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code. This is not like targeted advertisements when I visit websites with ads (which is perfectly acceptable), this instead is a direct manipulation of the original source code of the website.This is completely unacceptable to me and what’s worse is that Comcast provides no option to opt out of this horrific practice.

ISP’s injecting code into websites is nothing new, it’s been going on for years. In fact earlier this year Comcast was maligned for using the practice to warn users against piracy. And as far back as 2012, experts have warned about the implications.

Intercepting a customer’s unencrypted internet traffic and injecting code into it is essentially a “man in the middle” attack, according to Jarred Sumner, an expert who told ZDNet:

This probably means that Comcast is using [deep packet inspection] on subscriber’s internet and/or proxying subscriber internet when they want to send messages to subscribers.That would let Comcast modify unencrypted traffic in both directions. There are scarier scenarios where this could be used as a tool for censorship, surveillance, [or] selling personal information.

The company’s code informing customers they need a new modem is a little different, but the concept remains the same: Comcast can (and does) alter webpages whenever necessary by exploiting its position as a customer’s ISP.

Interestingly, when called out on its own forums for the practice earlier this month, a Comcast employee responded to contradict the poster.

There isn’t a week that goes by where my ISP (not Comcast, but no better) doesn’t send me at least five pieces of junk mail, practically begging me to sign up for other services. And if I’m fifteen seconds late on my bill I get a text message, an email to two different accounts, and a series of phone calls which continue daily until I’ve made the payment.

But please Comcast, tell us all more about your company’s need for a system to add your own code to webpages which erroneously tells people they need a new modem.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Published
Back to top