This article is more than 1 year old
AT&T accused of Wi-Fi interception, ad injection
Security? They've heard of it but don't seem in a rush to do it very well
AT&T has been accused of grabbing user traffic from its Wi-Fi hotspots for ad injection.
The news comes from Stanford lawyer and computer scientist Jonathan Mayer, whose previous work includes uncovering a browser history bug in 2011, and the use of Verizon zombie cookies by third parties.
In Webpolicy, Mayer writes that while hanging around Dulles Airport, he noticed the huge advertising load arriving at his browser when he used the AT&T hotspot.
That hotspot, he writes, is using technology from a startup called RaGaPa to inject ads into the HTTP sent to the user's browser. From the post:
First, the hotspot adds an advertising stylesheet.
Next, it injects a backup advertisement, in case a browser doesn't support JavaScript. It appears that the hotspot intercepts /ragapa URLs and resolves them to advertising images.
Finally, the hotspot adds a pair of scripts for controlling advertisement loading and display.
Apart from the effect on the user, who gets cluttered browsing so AT&T can monetize the Wi-Fi, Mayer points out that this "particularly unsavoury" way of "advertising injection" poses security risks.
It "exposes much of the user's web browsing activity to an undisclosed and untrusted business," Mayer writes, as well as posing "security and breakage risks, since Website developers generally don't plan for extra scripts and layout elements."
Mayer notes that ad-injection extensions are frowned on by Google, which last year yanked a bunch of Chrome (Windows) extensions on that basis. ®