Comcast caught hijacking web traffic
On November 20th, 2012 Comcast hijacked my HTTP traffic and re-routed it through their own servers, injecting a “notice” on the page before completing the request. What this means is instead of my web request being routed to the website I wanted to visit, Comcast took it upon themselves to hijack my web traffic, forcing it to go through their servers instead. This poses a massive security risk for users since there’s no telling what type of logging Comcast uses on their end. Why did they do all this? To force a “courtesy notice” on every webpage I visit until I logged into my Comcast account because I was within 90% of my new 300GB limit?
In my testing I discovered that this only affects HTTP traffic and not HTTPS traffic. What this means is while your online banking may be safe, any other website you visit over HTTP may cause your privacy to be at risk. This is a prime example of why SSL encryption on websites is so important. However, it may only be a matter of time before Comcast starts executing man in the middle attacks on SSL traffic.
Web Log
Here’s an excerpt from the servers web log
2601:5:300:83:6997:f2b7:4d2d:c7fd - - [20/Nov/2012:21:38:44 -0800] "GET / HTTP/1.1" 200
68.87.68.230 - - [20/Nov/2012:21:38:31 -0800] "GET / HTTP/1.1" 200
68.87.68.230 - - [20/Nov/2012:21:35:58 -0800] "GET / HTTP/1.1" 200
2601:5:300:83:6997:f2b7:4d2d:c7fd - - [20/Nov/2012:21:35:56 -0800] "GET / HTTP/1.1" 200<
All four requests were made by my computer. The first was made straight to the server using my IPv6 address of 2601:5:300:83:6997:f2b7:4d2d:c7fd. The second two requests were hijacked by Comcast so the request ended up coming from 68.87.68.230 (one of Comcast’s used to hijack customer’s web traffic).
After a request is hijacked, HTML code is injected into the web page to display this message
Below is the code that Comcast is injecting into the page. If your browser doesn’t load the code below, you can view it here on GitHub.
Ryan;
I had a DoS attack on my domain today from a Comcast IP 75.69.194.57 using this script. “/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do?dispatch=checkBulletin” Attack continued for 101 minutes during which time all other traffic was unable to access any of the sites on my domain.
This was probably a hacker who users Comcast, and not Comcast themselves of course. However, I don’t appreciate an ISP adding scripts like this to their clients traffic, and am banning Comcast IP’s
Thanks for the info – much appreciated
The script fails to function properly – thus it attempts to reconnect every five seconds. This would be your “DoS” attack.
I noted the same attack Graphicline has on my own company’s server today. It didn’t affect service and I probably wouldn’t have noticed it if I hadn’t been checking my application’s error logs. They’ve been coming in since very early this morning. I’ve banned the offending IP.
It’s poorly written code, at that.
I don’t think they would be able to man in the middle inject stuff for HTTPS traffic. That’s sort of the point of HTTPS – you need the private key of the certificate holder :)
If you hijack the initial handshake you can absolutely see all the data that is going over HTTPS. You can read more about MITM attacks here http://en.wikipedia.org/wiki/Man-in-the-middle_attack
The whole point of SSL is that MITM shouldn’t work, since your browser or OS is preinstalled with a list of certificate authorities. Comcast would have to hijack a CA and generate a fake certificate for the domain you were trying to access. Hijacking a CA probably isn’t so hard, but it certainly doesn’t sound like something they would do.
It also doesn’t sound like something they’d be stupid enough to do. Even if successfully executed, it would rain a sh*tstorm down on them. This may be a security vulnerability from a technical perspective, but if you’re that worried about it, you shouldn’t be doing anything personal on a non-HTTPS basis anyways.
This. As long as they don’t have your private key or the server’s private key, HTTPS is perfectly safe to man-in-the-middle attacks.
Introducing a ground-breaking new technology: customer email.
Ladies and gentlemen of Comcast, leverage the power of communication using this new fan-dangled technology by sending an electronic message to your customers telling them their bandwidth quota is almost up.
No more MITM traffic hijacking and no more making Crockford cry. Everyone’s a winner!
Who uses their fucking comcast email?!
Did they hijack the DNS queries or were they using a transparent proxy?
Proxy. RFC 6108 describes it http://tools.ietf.org/html/rfc6108
How did you find that JS script. I’m curious to see how many ISP’s inject data?
By hosting a completely blank HTML page and running curl on it until it injected this code.
“Comcast took it upon themselves to hijack my web traffic, forcing it to go through their servers instead.”
You realize all of your traffic goes through Comcast servers. It’s obnoxious behavior, but not worthy of verbs like “hijacking”. It’s like saying your flight got hijacked by American Airlines and you were two hours late.
No, all traffic does NOT go through Comcast’s servers. You’re confusing Servers with Routers and Switches. My traffic was supposed to go to a server and never got there. Instead, Comcast maliciously rerouted it to their Squid proxy instead.
This is the new anti-piracy program. It means that you’ve been detected using BitTorrent to share copyrighted materials.
That’s actually not true. This is their notification about nearing your monthly bandwidth limit.
I haven’t seen the 6 strikes notification yet. I’m guessing it will look similar to this one though.
Did you read the message? Its about their 300GB bandwidth limit.
It has nothing to do with piracy or BitTorrent, and everything to do with Ryan nearing his data threshold (it’s not technically a cap).
This is totally unconstitutional and illegal!!!!
Just take a look at this post:
http://www.reddit.com/r/technology/comments/1bnbxi/comcast_caught_hijacking_web_traffic/
Someone pointed out this website that discusses comcast’s illegal activity:
http://tech.slashdot.org/story/12/12/15/2230230/cox-comm-injects-code-into-web-traffic-to-announce-email-outage
Now all of the sudden if you go to the page it no longer exists, and it takes me to a comcast landing page that states:
“Sorry we are experiencing technical issues.
Please click here to refresh this page.
If the problem persists, please call 1-800-COMCAST (1-800-266-2278) and reference AUPM Service Notice.”
Other sources are not able to load this page at all now, but you can still look this site up by finding the google cached version.
This is beyond unconstitutional, this violates at least a dozen laws, and not to mention the First Amendment!!!!
How are they getting away with this?! They are almost as bad as the Chinese government. This has to stop! Private corporations should never be able to sensor or monitor anyone, ever!!!!
You do understand the constitution only limits government activities, not the activities of private companies with whom you choose to do business, right?
I really do not think it is a big deal. Sure, they can do it, but they aren’t harming your computer or taking any info. They are displaying a notice that may or may not be helpful, depending on who they ask. Other ISPs have been adding banner ads using a SQUID proxy, so in comparison it isn’t really that bad. I sure don’t mind. It is a bit annoying, but nothing that would make me go like “THIS IS UNCONSTITUTIONAL AND IT IS GONNA VIOLATE MY RIGHTS AND OMG THATS SO RACIST OMG OMG OMG SO BAD OMG!!!!111!one!!2”
Just calm down people
‘Off your meds’ or Comcast management ?
You, my friend, are a complete, utterly stupid idiot.
I agree. It’s little different from an e-mail, and the reason they don’t use e-mail is because people tend to ignore those e-mails. It’s merely an alert to let you know you are approaching your threshold, because once you exceed your threshold you will incur additional usage fees. You can also pay for unlimited bandwidth and then you will never see these banners.