Comcast injects copyright warnings into browsers, raising privacy concerns

The 'man-in-the-middle' attack does not affect HTTPS-protected websites, which can almost never be intercepted or have third-party content injected into it.
Written by Zack Whittaker, Contributor
The injected Comcast banner in question.
(Image: Jarred Sumner/GitHub)

If Comcast thinks you're downloading copyrighted material, you can be sure it'll let you know. But how it does it has raised questions over user privacy.

The cable and media giant has been accused of tapping into unencrypted browser sessions and displaying warnings that accuse the user of infringing copyrighted material -- such as sharing movies or downloading from a file-sharing site.

That could put users at risk, says the developer who discovered it.

Jarred Sumner, a San Francisco, Calif.-based developer who published the alert banner's code on his GitHub page, told ZDNet in an email that this could cause major privacy problems.

Sumner explained that Comcast injects the code into a user's browser as they are browsing the web, performing a so-called "man-in-the-middle" attack. (Comcast has been known to alert users when they have surpassed their data caps.) This means Comcast intercepts the traffic between a user's computer and their servers, instead of installing software on the user's computer.

But that opens up a whole host of problems, such as allowing Comcast to modify what is displayed on the user's page.

"This probably means that Comcast is using [deep packet inspection] on subscriber's internet and/or proxying subscriber internet when they want to send messages to subscribers," he said. "That would let Comcast modify unencrypted traffic in both directions."

That would mean Comcast could, if it wanted to, trick users into thinking they are on one site when they're on another instead.

"There are scarier scenarios where this could be used as a tool for censorship, surveillance, [or] selling personal information," said Sumner.

Sumner confirmed he used Comcast at home. "It started appearing on every single non-HTTPS website on every device on my home's network," he said.

It's almost impossible for websites that are encrypted, which display "HTTPS" in the address bar, to be affected. Not only does an SSL security certificate prevent anyone from knowing what's going on during the browsing session, it also adds a layer of integrity to the site, meaning it hasn't been modified by a third-party while it was being displayed.

"This is highly dubious behavior from Comcast. The last thing anyone wants is unapproved third-party JavaScript libraries being injected onto their pages. This could have serious performance and security implications," said one user in the comments.

Others in the comments section said they also saw this, adding that it was first seen back in June.

This is not the first time Comcast has been accused of controversial tactics.

Most recently, Comcast was accused of exploiting a loophole in the net neutrality rules, allowing its users to stream an unlimited amount of video -- despite its data caps, because the company said it was being provided over its cable network rather than the internet. That falls foul of the rules because its competitors, like Netflix, would count against the data limits, according to the Washington Post.

A Comcast spokesperson said in an email on Monday that this is "not new," adding that engineers "transparently posted an Internet Engineering Task Force (IETF) white paper about it" as early as 2011, which can be found here.

The spokesperson did not, however, address of the apparent privacy concerns.

Editorial standards