Xfinity Is Man-in-the-Middle Attacking My Internet

> This attack entirely breaks tab ordering, deeming the internet unusable for people requiring software assistance to provide accessibility to the World Wide Web. Additionally, the “escape” key, which is often used to close dialogs, doesn’t close the Xfinity notice.

A few weeks (months?) back there was an article about ongoing litigation on if websites are required to have accessibility compliance under the ADA act. I would be very happy to see Xfinity sued for this practice under that precedent and hopefully any injection would be considered a violation.

Status of supreme court case: https://www.scotusblog.com/case-files/cases/dominos-pizza-ll...

This is copyright infringement.

>> 17 U.S.C. § 106

    ...the owner of copyright under this title has
    the exclusive rights to do and to authorize
    any of the following:

      (2) to prepare derivative works based upon
          the copyrighted work;

Instead of conveying the authorized copy from the webserver to its intended recipient, Comcast is intercepting the original copy of the file and making a derivative version of the work. Unless they received special permission from each website owner (which is unlikely), Comcast is infringing the someone's copyright every time they make a modified copy without permission.

How many HTML files have they willfully[1] modified?

[1] why willful? They published the technical details of how they modify the original work in an RFC.

One of the problems with this is the same as any other bad behaviours companies often do that are indistinguishable from an attack, such as asking for your PIN on the phone, or sending account-related e-mails with links: They condition the user to expect this is "legitimate".

As the article points out, an attacker could do something on an unrelated web server that injects this same notice (using the same code [1] as a basis), with a link that says something like "Extend your limit for free by 1GB", which loads a fake "Xfinity login" in a pop-up to phish their Xfinity account credentials. Because the link was presented using the familiar UI, it could easily trick someone and it would be nearly impossible for most users to realize it's not legitimately Xfinity.

[1] https://rietta.com/blog/comcast-insecure-injection/injection...

I have first-hand knowledge about how Comcast's content injection happens. (they'd prefer to call it "User Messaging") I'm sure you'll find the same ability from several ISPs because they all purchased a network appliance that does the content injection.

One question people are asking here: does it work over HTTPS. No it does't work over HTTPS, but if the page requests content via HTTP it is possible.

Interestingly enough, the technique is very similar to what Edward Snowden revealed as Quantum Insert, where HTTP requests monitored by the ISP and are intercepted and another web server (the network appliance in question) is able to respond more quickly. It starts with a very fast response that leads to a 302 redirect. The network appliance will then serve up a modified version of a file (usually a JS asset). The injected JS will then query the network appliance for "messages" and show them if the user is "eligible" to receive them.

I'm not sure if it still works like this or not, but up here in Canada with Shaw cable for the longest time, it just started out of nowhere one day, I'd always get redirected to a Shaw landing page or have Shaw ads injected into pages when I was browsing. I finally really noticed it one day so I did some searching at the time and found out Shaw has an option in their account page(enabled by default),

I can't remember what it's called, something like 'Shaw enhanced browsing' or some shit, but basically this 'feature' allows shaw to route traffic through their servers and inject content into sites. There was no description of this option in the account settings, they were buried 3 or 4 layers deep, there was no mention of this 'feature' from any of Shaw's customer service people, the only way I discovered this was through some random forum conversation I found.

There was also people mentioning (this never happened to me)that despite switching the option off, they would find it turned back on again a day or two later and have to repeat the process. I have no idea if this is still the case, this would have been quite a while ago now, but I was pretty unimpressed when I figured it out and realized what was going on.

On a broader level this is why the FCC is IMHO wrong in not considering broadband a telecommunication service. As ISPs inject their content (including advertising) into third party content, they essentially take over said content. E.g., if someone requests access to my content via their service, besides any corruption of functionality, artistic work and even intended meaning, any revenue generated by this is directly drawn from my content without license. From my perspective as a potential content provider, this is clearly a violation. It may be even a violation of existing contracts, e.g., if there's a no third parties clause involved in an existing advertising contract the content provider has agreed to.

This is exactly why I cancelled my Comcast service a few years ago and switched to Sonic, even though it had orders of magnitude less bandwidth. I even offered to stay on as a customer, and pay whatever 'overage' fees they charged, if they implemented some way to make exceptions and never inject the data cap warning on my account, but they claimed that was impossible. When I returned the rental equipment, I made it absolutely clear that I considered this practice immoral and reprehensible.

If anyone else considers cancelling their service, but has trouble getting Comcast to let them actually do it, just remove your payment method from the account, and let them know that if they attempt charging to it again, you'll sue them for fraud; that'll get your account closed real quick!

Xfinity is most likely committing data usage measurement fraud due to their implementation of this banner.

I asked the person responsible for the banner if it counted towards data caps and was ignored. https://twitter.com/sephr/status/941067958096244741

I just got this as well. I’m appalled at the complete lack of thought put into this. I’ve had numerous emails & push notifications telling me I’m over my data cap; I don’t need injected content into my page in addition.

Honest question: If I own the copyright to a webpage (say my personal blog) and Comcast modifies my page to insert this "helpful" warning message, is it likely I'd have a case to sue them for creating an unauthorized derivative work of my content?

I used to live in Fort Collins and I was _floored_ the first time that an xfinity data limit popup appeared on a random website. Colorado needs a better provider.

This is sadly common: I’ve run Sentry (https://github.com/getsentry/onpremise) for years to collect JavaScript errors on the sites I run. If you haven’t done so, it’s eye-opening how noisy the JavaScript environment is for many people: ISPs, browse extensions, anti-virus software, etc. all injecting tons of marginally-tested code, most of it written at a level which would have been shameful back in 1998, and apparently little awareness of how to avoid polluting the global namespace.

A similar bit of malware had a surprising twist: many ISPs, especially mobile, used an image compressor which made things look terrible but, unexpectedly, it honored Cache-Control: no-transform. See https://stackoverflow.com/a/4113511/59984.

I’m curious whether Comcast does that – it would be surprising but also possible as a way to reduce the risk of lawsuits.

Currently down, here is an archived version:

https://web.archive.org/web/20191029172726/https://rietta.co...

At least Xfinity is giving you information /s. Optimum Online does this and serves me advertisements for new channels or movies available through VOD [1]

1: https://imgur.com/a/UZYd7JH

How do you know that their (Xfinity) JavaScript code counts against your data cap?

First time I saw one of these 4 years ago was when it popped into a Steam sale advertising window. Really creeped me out. A sure sign Comcast is pretty much 100% infected with Bovine Spongiform Encephelopathy. Still they offer Internet that is 10 times faster than the competition. Ah, the tyranny of the last mile. I went with Comcast Business, and they don't have data caps...

Of course, this whole thing is also overlooking the absurdity of a 1 TB monthly data cap on a service offering up to 1000 Mbps bandwidth.

> (Comcast still has datacaps. Pricing like it’s 1999…)

That's not how internet was billed in 1999. You paid for the size of the pipe, not how much data came through.

Per-byte pricing is pretty much a cell carrier and Comcast invention

They can do this on any site including secured ones? I don't think the link makes this clear.

I also have Xfinity and began to experience this a few years ago. When it started I configured my router (pfSense running on an APU2) to forward all outgoing connections on port 80 (and a selection of other commonly unencrypted ports) through a VPN - but leave all other ports, especially 443, alone.

I’ve been doing that ever since. It works great, and for me is a good trade-off over using a VPN for literally everything.