This article is more than 1 year old

AT&T accused of Wi-Fi interception, ad injection

Security? They've heard of it but don't seem in a rush to do it very well

AT&T has been accused of grabbing user traffic from its Wi-Fi hotspots for ad injection.

The news comes from Stanford lawyer and computer scientist Jonathan Mayer, whose previous work includes uncovering a browser history bug in 2011, and the use of Verizon zombie cookies by third parties.

In Webpolicy, Mayer writes that while hanging around Dulles Airport, he noticed the huge advertising load arriving at his browser when he used the AT&T hotspot.

That hotspot, he writes, is using technology from a startup called RaGaPa to inject ads into the HTTP sent to the user's browser. From the post:

First, the hotspot adds an advertising stylesheet.

AT&T ad injection script image 1

Next, it injects a backup advertisement, in case a browser doesn't support JavaScript. It appears that the hotspot intercepts /ragapa URLs and resolves them to advertising images.

AT&T ad injection script image 2

Finally, the hotspot adds a pair of scripts for controlling advertisement loading and display.

AT&T ad injection script image 3

Apart from the effect on the user, who gets cluttered browsing so AT&T can monetize the Wi-Fi, Mayer points out that this "particularly unsavoury" way of "advertising injection" poses security risks.

It "exposes much of the user's web browsing activity to an undisclosed and untrusted business," Mayer writes, as well as posing "security and breakage risks, since Website developers generally don't plan for extra scripts and layout elements."

Mayer notes that ad-injection extensions are frowned on by Google, which last year yanked a bunch of Chrome (Windows) extensions on that basis. ®

More about

TIP US OFF

Send us news


Other stories you might like