Comcast Courtesy Notice

Comcast caught hijacking web traffic

On November 20th, 2012 Comcast hijacked my HTTP traffic and re-routed it through their own servers, injecting a “notice” on the page before completing the request. What this means is instead of my web request being routed to the website I wanted to visit, Comcast took it upon themselves to hijack my web traffic, forcing it to go through their servers instead. This poses a massive security risk for users since there’s no telling what type of logging Comcast uses on their end. Why did they do all this? To force a “courtesy notice” on every webpage I visit until I logged into my Comcast account because I was within 90% of my new 300GB limit?

In my testing I discovered that this only affects HTTP traffic and not HTTPS traffic. What this means is while your online banking may be safe, any other website you visit over HTTP may cause your privacy to be at risk. This is a prime example of why SSL encryption on websites is so important. However, it may only be a matter of time before Comcast starts executing man in the middle attacks on SSL traffic.

Web Log

Here’s an excerpt from the servers web log

2601:5:300:83:6997:f2b7:4d2d:c7fd - - [20/Nov/2012:21:38:44 -0800] "GET / HTTP/1.1" 200
68.87.68.230 - - [20/Nov/2012:21:38:31 -0800] "GET / HTTP/1.1" 200
68.87.68.230 - - [20/Nov/2012:21:35:58 -0800] "GET / HTTP/1.1" 200
2601:5:300:83:6997:f2b7:4d2d:c7fd - - [20/Nov/2012:21:35:56 -0800] "GET / HTTP/1.1" 200<

All four requests were made by my computer. The first was made straight to the server using my IPv6 address of 2601:5:300:83:6997:f2b7:4d2d:c7fd. The second two requests were hijacked by Comcast so the request ended up coming from 68.87.68.230 (one of Comcast’s used to hijack customer’s web traffic).

After a request is hijacked, HTML code is injected into the web page to display this message

Comcast Courtesy Notice

Below is the code that Comcast is injecting into the page. If your browser doesn’t load the code below, you can view it here on GitHub.

27 replies
  1. Graphicline
    Graphicline says:

    Ryan;
    I had a DoS attack on my domain today from a Comcast IP 75.69.194.57 using this script. “/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do?dispatch=checkBulletin” Attack continued for 101 minutes during which time all other traffic was unable to access any of the sites on my domain.
    This was probably a hacker who users Comcast, and not Comcast themselves of course. However, I don’t appreciate an ISP adding scripts like this to their clients traffic, and am banning Comcast IP’s
    Thanks for the info – much appreciated

    Reply
    • BowserKoopa
      BowserKoopa says:

      The script fails to function properly – thus it attempts to reconnect every five seconds. This would be your “DoS” attack.

      Reply
  2. jthompson
    jthompson says:

    I noted the same attack Graphicline has on my own company’s server today. It didn’t affect service and I probably wouldn’t have noticed it if I hadn’t been checking my application’s error logs. They’ve been coming in since very early this morning. I’ve banned the offending IP.

    Reply
  3. August Lilleaas
    August Lilleaas says:

    I don’t think they would be able to man in the middle inject stuff for HTTPS traffic. That’s sort of the point of HTTPS – you need the private key of the certificate holder :)

    Reply
      • Ian Monroe
        Ian Monroe says:

        The whole point of SSL is that MITM shouldn’t work, since your browser or OS is preinstalled with a list of certificate authorities. Comcast would have to hijack a CA and generate a fake certificate for the domain you were trying to access. Hijacking a CA probably isn’t so hard, but it certainly doesn’t sound like something they would do.

        Reply
        • miacane86
          miacane86 says:

          It also doesn’t sound like something they’d be stupid enough to do. Even if successfully executed, it would rain a sh*tstorm down on them. This may be a security vulnerability from a technical perspective, but if you’re that worried about it, you shouldn’t be doing anything personal on a non-HTTPS basis anyways.

          Reply
        • skr1p7k1dd
          skr1p7k1dd says:

          This. As long as they don’t have your private key or the server’s private key, HTTPS is perfectly safe to man-in-the-middle attacks.

          Reply
  4. Will Morgan
    Will Morgan says:

    Introducing a ground-breaking new technology: customer email.

    Ladies and gentlemen of Comcast, leverage the power of communication using this new fan-dangled technology by sending an electronic message to your customers telling them their bandwidth quota is almost up.

    No more MITM traffic hijacking and no more making Crockford cry. Everyone’s a winner!

    Reply
  5. Ian Monroe
    Ian Monroe says:

    “Comcast took it upon themselves to hijack my web traffic, forcing it to go through their servers instead.”

    You realize all of your traffic goes through Comcast servers. It’s obnoxious behavior, but not worthy of verbs like “hijacking”. It’s like saying your flight got hijacked by American Airlines and you were two hours late.

    Reply
    • Ryan Kearney
      Ryan Kearney says:

      No, all traffic does NOT go through Comcast’s servers. You’re confusing Servers with Routers and Switches. My traffic was supposed to go to a server and never got there. Instead, Comcast maliciously rerouted it to their Squid proxy instead.

      Reply
  6. Doh
    Doh says:

    This is the new anti-piracy program. It means that you’ve been detected using BitTorrent to share copyrighted materials.

    Reply
  7. Anonymous (but not to Comcast)
    Anonymous (but not to Comcast) says:

    This is totally unconstitutional and illegal!!!!
    Just take a look at this post:
    http://www.reddit.com/r/technology/comments/1bnbxi/comcast_caught_hijacking_web_traffic/

    Someone pointed out this website that discusses comcast’s illegal activity:
    http://tech.slashdot.org/story/12/12/15/2230230/cox-comm-injects-code-into-web-traffic-to-announce-email-outage

    Now all of the sudden if you go to the page it no longer exists, and it takes me to a comcast landing page that states:

    “Sorry we are experiencing technical issues.

    Please click here to refresh this page.

    If the problem persists, please call 1-800-COMCAST (1-800-266-2278) and reference AUPM Service Notice.”

    Other sources are not able to load this page at all now, but you can still look this site up by finding the google cached version.

    This is beyond unconstitutional, this violates at least a dozen laws, and not to mention the First Amendment!!!!

    How are they getting away with this?! They are almost as bad as the Chinese government. This has to stop! Private corporations should never be able to sensor or monitor anyone, ever!!!!

    Reply
  8. Jonah Matthews
    Jonah Matthews says:

    I really do not think it is a big deal. Sure, they can do it, but they aren’t harming your computer or taking any info. They are displaying a notice that may or may not be helpful, depending on who they ask. Other ISPs have been adding banner ads using a SQUID proxy, so in comparison it isn’t really that bad. I sure don’t mind. It is a bit annoying, but nothing that would make me go like “THIS IS UNCONSTITUTIONAL AND IT IS GONNA VIOLATE MY RIGHTS AND OMG THATS SO RACIST OMG OMG OMG SO BAD OMG!!!!111!one!!2”

    Just calm down people

    Reply
    • Anthony McCloskey
      Anthony McCloskey says:

      I agree. It’s little different from an e-mail, and the reason they don’t use e-mail is because people tend to ignore those e-mails. It’s merely an alert to let you know you are approaching your threshold, because once you exceed your threshold you will incur additional usage fees. You can also pay for unlimited bandwidth and then you will never see these banners.

      Reply

Trackbacks & Pingbacks

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply