On November 20th, 2012 Comcast hijacked my HTTP traffic and re-routed it through their own servers, injecting a “notice” on the page before completing the request. What this means is instead of my web request being routed to the website I wanted to visit, Comcast took it upon themselves to hijack my web traffic, forcing it to go through their servers instead. This poses a massive security risk for users since there’s no telling what type of logging Comcast uses on their end. Why did they do all this? To force a “courtesy notice” on every webpage I visit until I logged into my Comcast account because I was within 90% of my new 300GB limit?

In my testing I discovered that this only affects HTTP traffic and not HTTPS traffic. What this means is while your online banking may be safe, any other website you visit over HTTP may cause your privacy to be at risk. This is a prime example of why SSL encryption on websites is so important. However, it may only be a matter of time before Comcast starts executing man in the middle attacks on SSL traffic.

Web Log

Here’s an excerpt from the servers web log

2601:5:300:83:6997:f2b7:4d2d:c7fd - - [20/Nov/2012:21:38:44 -0800] "GET / HTTP/1.1" 200
68.87.68.230 - - [20/Nov/2012:21:38:31 -0800] "GET / HTTP/1.1" 200
68.87.68.230 - - [20/Nov/2012:21:35:58 -0800] "GET / HTTP/1.1" 200
2601:5:300:83:6997:f2b7:4d2d:c7fd - - [20/Nov/2012:21:35:56 -0800] "GET / HTTP/1.1" 200<

All four requests were made by my computer. The first was made straight to the server using my IPv6 address of 2601:5:300:83:6997:f2b7:4d2d:c7fd. The second two requests were hijacked by Comcast so the request ended up coming from 68.87.68.230 (one of Comcast’s used to hijack customer’s web traffic).

After a request is hijacked, HTML code is injected into the web page to display this message

Comcast Courtesy Notice

Below is the code that Comcast is injecting into the page. If your browser doesn’t load the code below, you can view it here on GitHub.

<script language="JavaScript" type="text/javascript">
// Comcast Cable Communications, LLC Proprietary. Copyright 2012.
// Intended use is to display browser notifications for critical and time sensitive alerts.
var SYS_URL='/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do';
// var image_url='http://servicealerts.comcast.net:8080/images/mt';
var image_url='http://xfinity.comcast.net/constantguard/BotAssistance/notice/images';
var headertext1='<strong>Comcast Courtesy Notice</strong>';
var textline1='You have reached 90% of your <b>monthly data usage allowance</b>.';
var textline2='Please sign in for more information and to remove this alert.';
var acknowledgebutton='<a href=\"#\" onClick="document.location.href=\''+SYS_URL+'?dispatch=redirect&redirectName=login&paramName=bmUid\'" title="Sign in to acknowledge" style="color: #FFFFFF;"><img alt="Sign in to acknowledge" src="'+image_url+'/mt_signin.png"/></a>';
var verifybulletin='<a href="http://customer.comcast.com/help-and-support/internet/data-usage-plans-nash/" target="_new">How do I know this message is from Comcast?</a>';
if(self.location==top.location) {
document.write('<style type="text/css">');
document.write('#comcast_content {width: 600px; height:240px; box-shadow: 10px 10px 5px #888; background: #fff; border: 1px solid #454545; position:absolute; top:50px; left:100px; zoom:1; z-index: 9999999; opacity:0.90; filter:alpha(opacity=90);}');
document.write('#comcast_content .header {height: 35px; background:url('+image_url+'/headerbg.gif) repeat-x;}');
document.write('#comcast_content .a {color: #00a3e0;}');
document.write('#comcast_content .logo {float:left;}');
document.write('#comcast_content .content-wrapper {padding-left: 18px; padding-right: 15px; padding-bottom: 12px;}');
document.write('#comcast_content .headerimage { margin-top: 15px;}');
document.write('#comcast_content .header1 {margin: 18px 0 0 0; color: #C00000; padding: 3px; font: 23px/24px bold Arial, Helvetica, sans-serif;}');
document.write('#comcast_content .textcontent {margin: 12px 0 0 0; text-align: center; color: #303030; word-spacing: 0px; font: 14px/15px Arial, Helvetica, sans-serif; line-height: 1.20;}');
document.write('#comcast_content .acknowledge {padding-top:6px; text-align: center;}');
document.write('#comcast_content .how-do-i {float:left; position:absolute; bottom:20px; left:18px; margin: 12px 0 0 0; font: 13px/14px bold Arial, Helvetica, sans-serif; text-align: bottom;}');
document.write('#comcast_content .comcast-wrapper {float:right; position:absolute; bottom:15px; right:18px; padding-top:0px; text-align: right;}');
document.write('</style>');
document.write('<div class="main-wrapper" id="comcast_content">');
document.write('<div class="header" onmousedown="javascript:dragStart(event,\'comcast_content\')">');
document.write('<img src="'+image_url+'/xfinity-logo.gif" alt="Xfinity" class="logo"/>');
document.write('</div>');
document.write('<div class="content-wrapper">');
document.write('<p class="header1">');
document.write(headertext1);
document.write('</p>');
document.write('<p class="textcontent">');
document.write(textline1);
document.write('</p>');
document.write('<p class="textcontent">');
document.write(textline2);
document.write('</p>');
document.write('<p class="how-do-i">');
document.write(verifybulletin);
document.write('</p>');
document.write('<div class="acknowledge">');
document.write(acknowledgebutton);
document.write('</div>');
document.write('<div class="comcast-wrapper">');
document.write('<img src="'+image_url+'/message-by-comcast.gif" alt="Message by Comcast"/>');
document.write('</div>');
document.write('</div>');
document.write('</div>');
}
// Function to Determine browser and version. Copyright 2001 by Mike Hall.
// See http://www.brainjar.com for terms of use.
function Browser() {
var ua, s, i;
this.isIE = false;
this.isNS = false;
this.version = null;
ua = navigator.userAgent;
s = "MSIE";
if ((i = ua.indexOf(s)) >= 1) {
this.isIE = true; this.version = parseFloat(ua.substr(i + s.length)); return;
}
s = "Netscape6/";
if ((i = ua.indexOf(s)) >= 0) {
this.isNS = true; this.version = parseFloat(ua.substr(i + s.length)); return;
}
s = "Gecko";
if ((i = ua.indexOf(s)) >= 0) {
this.isNS = true; this.version = 6.1; return;
}
}
var browser1 = new Browser();
var dragObj = new Object();
dragObj.zIndex = 99999;
function dragStart(event, id) {
var el;
var x, y;
if (id) dragObj.elNode = document.getElementById(id);
else {
if (browser1.isIE) dragObj.elNode = window.event.srcElement;
if (browser1.isNS) dragObj.elNode = event.target;
if (dragObj.elNode.nodeType == 3) dragObj.elNode = dragObj.elNode.parentNode;
}
if (browser1.isIE) {
x = window.event.clientX + document.documentElement.scrollLeft + document.body.scrollLeft;
y = window.event.clientY + document.documentElement.scrollTop + document.body.scrollTop;
}
if (browser1.isNS) {
x = event.clientX + window.scrollX;
y = event.clientY + window.scrollY;
}
dragObj.cursorStartX = x;
dragObj.cursorStartY = y;
dragObj.elStartLeft = parseInt(dragObj.elNode.style.left, 10);
dragObj.elStartTop = parseInt(dragObj.elNode.style.top, 10);
if (isNaN(dragObj.elStartLeft)) dragObj.elStartLeft = 100;
if (isNaN(dragObj.elStartTop)) dragObj.elStartTop = 50;
if (browser1.isIE) {
document.attachEvent("onmousemove", dragGo);
document.attachEvent("onmouseup", dragStop);
window.event.cancelBubble = true;
window.event.returnValue = false; }
if (browser1.isNS) {
document.addEventListener("mousemove", dragGo, true);
document.addEventListener("mouseup", dragStop, true);
event.preventDefault();
}
}
// End Function
function dragGo(event) {
var x, y;
if (browser1.isIE) {
x = window.event.clientX + document.documentElement.scrollLeft + document.body.scrollLeft;
y = window.event.clientY + document.documentElement.scrollTop + document.body.scrollTop;
}
if (browser1.isNS) {
x = event.clientX + window.scrollX; y = event.clientY + window.scrollY;
}
dragObj.elNode.style.left = (dragObj.elStartLeft + x - dragObj.cursorStartX) + "px";
dragObj.elNode.style.top = (dragObj.elStartTop + y - dragObj.cursorStartY) + "px";
if (browser1.isIE) { window.event.cancelBubble = true; window.event.returnValue = false; }
if (browser1.isNS) event.preventDefault(); }
function dragStop(event) {
if (browser1.isIE) {
document.detachEvent("onmousemove", dragGo);
document.detachEvent("onmouseup", dragStop);
}
if (browser1.isNS) {
document.removeEventListener("mousemove", dragGo, true);
document.removeEventListener("mouseup", dragStop, true);
}
}
var xmlhttp=false; /*@cc_on @*/ /*@if (@_jscript_version >= 5) try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } catch (E) { xmlhttp = false; } } @end @*/ if (!xmlhttp && typeof XMLHttpRequest!='undefined') { try { xmlhttp = new XMLHttpRequest(); } catch (e) { xmlhttp=false; } } if (!xmlhttp && window.createRequest) { try { xmlhttp = window.createRequest(); } catch (e) { xmlhttp=false; } }
function acknowledge() { sendAck(); document.getElementById('comcast_content').style.display="none"; }
function sendAck(){ xmlhttp.open("GET", SYS_URL+'?dispatch=ackBulletin',true); xmlhttp.send(null) }
var comcastCheck=1;
var comcastTimer;
function checkBulletin(){
if(comcastCheck==0) { return; }
xmlhttp.open("GET", SYS_URL+'?dispatch=checkBulletin',true);
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4) {
if(xmlhttp.responseText.indexOf('43a1028c-7d11-11de-b687-1f15c5ad6a13')==-1){
document.getElementById('comcast_content').style.display="none";
comcastCheck=1;
}
comcastTimer=setTimeout("checkBulletin()",5000);
};
};
xmlhttp.send(null);
}
checkBulletin();
</script>
view raw ComcastInject.html hosted with ❤ by GitHub