/Xfinity is Man-in-the-Middle (MITM) Attacking my Internet

Xfinity is Man-in-the-Middle (MITM) Attacking my Internet


I recently moved to Fort Collins, CO. With this move also meant new internet…
Unfortunately, Xfinity (Comcast) is the only ISP available in the area until
early next year, so I purchased service through Xfinity. I had heard horror stories
from co-workers about Comcast, but after working at a company that makes billing
and networking software and hardware for Wireless Internet Service Providers, I
was skeptical; everyone seems to hate their ISP.

Little did I know, they still regularly hack their own customers. For the second
month, they alerted me via Man-in-the-middle attack and DOM injection that my
data cap (Comcast still has datacaps. Pricing like it’s 1999…) had reached 90%.

They injected 581 lines of JavaScript code, resulting in a total of 48.5kb data
resulting in additional data towards my data cap, as well as my page becoming
interactive ~250ms slower. This means that even though my internet is faster than
before, my computer performs worse when utilizing Xfinity internet.

Insecure

Not only is it morally wrong to inject content into websites, but it is also extremely
dangerous.

By setting the expectation that Xfinity will be injecting content into miscellaneous
webpages, Xfinity allows webpages to easily act as Xfinity. The good news is that
the original RFC specifically states the notification must not ask for login credentials:

“the notification must not ask for login credentials, and must not ask a user to follow a link in order to change their password, since these are common phishing techniques” – RFC 6108

which means hackers can’t ask for your username or password either, right? Wrong, hackers don’t usually follow the rules…

Any malicious website developer is able to easily replicate the code, which I’ve
made available here
. The
code is licensed under GNU GPLv3, which allows for modifications.

Inaccessible to Users with Disabilities

Xfinity’s injected attack code doesn’t follow Google’s Web Development Standards,
resulting in a terrible experience for anybody utilizing a screenreader or utilizing
keyboard-first navigation.

This attack entirely breaks tab ordering, deeming the internet unusable for
people requiring software assistance to provide accessibility to the World Wide Web.
Additionally, the “escape” key, which is often used to close dialogs, doesn’t
close the Xfinity notice.

For users that might require the internet for day to day life, this could cause
some major issues and in extreme cases might result in life-threatening circumstances.

Having this hook allows for Xfinity employees to be malicious in nature.

A few things that could be done via Comcast’s servers are:

  • Changing the content of an accessed web page
  • Exploited vulnerability resulting in outside sources being capable of executing a Man-in-the-middle attack
  • Session Hijacking: Stealing your logged in session and acting like you on your profile
  • Browser sniffing: Accessing data about your computer, such as your Operating System and Browser.

Breaks legacy programs

This resulted in a major loss of personal investment

Finally, this injection breaks common legacy programs. One example was an older
apt-get repository which choked up when given foreign content. This resulted in
a major loss of personal investment, as I was unable to utilize my internet
during this time.

Results in Additional data being downloaded

“You’ve used 90% of your data usage plan” — but we’ll force you to
download 50kb extra so you are closer to our glorious overages

For every request you make, Comcast adds an additional 50kb to your request. In
order to alert you that you’re almost at your data cap, they guide you closer to
your data cap.

This also means that websites will load slower. The way this code was
implemented, the code blocks the page from loading for 250ms, resulting in a much
slower internet experience.

Dear Xfinity,

Please stop injecting my web requests with foreign content. It results in a very
poor experience, poor accessibility, is less secure,
and has major privacy concerns.

You have my email. Email is a widely respected communication form.

Additionally, since my house has your service, you also have my address.
Postal mailing is a standard communication method respected by the U.S. Govt.

Please stop hacking your own customers.

Please help make your internet service more secure.

Cheers,

Alex

Original Source