Since 1999

 

4 minutes estimated reading time.

Xfinity is Man-in-the-Middle (MITM) Attacking my Internet

Alex Piechowski

I recently moved to Fort Collins, CO. With this move also meant new internet… Unfortunately, Xfinity (Comcast) is the only ISP available in the area until early next year, so I purchased service through Xfinity. I had heard horror stories from co-workers about Comcast, but after working at a company that makes billing and networking software and hardware for Wireless Internet Service Providers, I was skeptical; everyone seems to hate their ISP.

Little did I know, they still regularly hack their own customers. For the second month, they alerted me via Man-in-the-middle attack and DOM injection that my data cap (Comcast still has datacaps. Pricing like it’s 1999…) had reached 90%.

Assuming Rietta.com wasn’t utilizing TLS, this is what the message would look like:

Comcast Attack Overlayed on Currently Displayed Blog Post

They injected 581 lines of JavaScript code, resulting in a total of 48.5kb data resulting in additional data towards my data cap, as well as my page becoming interactive ~250ms slower. This means that even though my internet is faster than before, my computer performs worse when utilizing Xfinity internet.

Insecure

Not only is it morally wrong to inject content into websites, but it is also extremely dangerous.

By setting the expectation that Xfinity will be injecting content into miscellaneous webpages, Xfinity allows webpages to easily act as Xfinity. The good news is that the original RFC specifically states the notification must not ask for login credentials:

“the notification must not ask for login credentials, and must not ask a user to follow a link in order to change their password, since these are common phishing techniques” - RFC 6108

which means hackers can’t ask for your username or password either, right? Wrong, hackers don’t usually follow the rules…

Any malicious website developer is able to easily replicate the code, which I’ve made available here. The code is licensed under GNU GPLv3, which allows for modifications.

Inaccessible to Users with Disabilities

Xfinity’s injected attack code doesn’t follow Google’s Web Development Standards, resulting in a terrible experience for anybody utilizing a screenreader or utilizing keyboard-first navigation.

This attack entirely breaks tab ordering, deeming the internet unusable for people requiring software assistance to provide accessibility to the World Wide Web. Additionally, the “escape” key, which is often used to close dialogs, doesn’t close the Xfinity notice.

For users that might require the internet for day to day life, this could cause some major issues and in extreme cases might result in life-threatening circumstances.

Having this hook allows for Xfinity employees to be malicious in nature.

A few things that could be done via Comcast’s servers are:

  • Changing the content of an accessed web page
  • Exploited vulnerability resulting in outside sources being capable of executing a Man-in-the-middle attack
  • Session Hijacking: Stealing your logged in session and acting like you on your profile
  • Browser sniffing: Accessing data about your computer, such as your Operating System and Browser.

Breaks legacy programs

This resulted in a major loss of personal investment

Finally, this injection breaks common legacy programs. One example was an older apt-get repository which choked up when given foreign content. This resulted in a major loss of personal investment, as I was unable to troubleshoot and diagnose an issue with a development build.

Results in Additional data being downloaded

“You’ve used 90% of your data usage plan” — but we’ll force you to download 50kb extra so you are closer to our glorious overages

For every request you make, Comcast adds an additional 50kb to your request. In order to alert you that you’re almost at your data cap, they guide you closer to your data cap.

This also means that websites will load slower. The way this code was implemented, the code blocks the page from loading for 250ms, resulting in a much slower internet experience.

Dear Xfinity,

Please stop injecting my web requests with foreign content. It results in a very poor experience, poor accessibility, is less secure, and has major privacy concerns.

You have my email. Email is a widely respected communication form.

Additionally, since my house has your service, you also have my address. Postal mailing is a standard communication method respected by the U.S. Govt.

Please stop hacking your own customers.

Please help make your internet service more secure.

Cheers,

Alex