Thousands if not millions of online users are at risk because of an oversight by the South African ISP Telkom. No doubt initiated with practical intentions, Telkom has a mechanism to inform you via pop-up that your data allowance has reached a certain percentage of its limit. The problem with them delivering this small bit of antiquated information is that it is HTML Injection and reveals that Telkom proxies all their users traffic.

HTML Injection is a common hacking method where the requested code(HTML) for a website is returned to you in a modified form with someones own code inserted to serve various purposes.

Another step in this process is what happens in regards to DNS where their inserted Javascript references this IP: 196.25.211.41/cheetah.intekom.co.za (specifically a reverse lookup) which oddly forward resolves to 105.224.1.4/ns2.telkomsa.net which is a non-recursive name server running on Citrix. It would make sense that this is an enterprise DNS server to resolve queries any of their tools might have. The problem with this is that after injection you could be leaking DNS lookups.

On a side note in regards to DNS in relation to Telkom I have read of an ADSL connection breaking because the default name servers where changed to OpenDNS (208.78.222.222, 208.67.220.220). Once they were changed back to Telkom’s the connection went back up because DNS requests were resolving. It would make sense to try force people into using their DNS servers to facilitate easy troubleshooting and tech support, but it could be to funnel users in to monitor their web traffic. Telkom is partially state owned.

Once Telkom starts injecting code into your browser a side effect is that it will cripple the functionality of some websites hindering your quality of service and breaking sites. How many out there have seen the pop-up and clicked on it? How sure are they that it was in fact Telkom’s pop-up that they clicked on to remove it? What other traffic has been interfered with through their proxies?

Pro-Tip: their injection can only work on HTTP and not HTTPS so there is some relief from this inconvenient and dangerous code injection. Installing the HTTPS Everywhere plugin will help mitigate the injection and is a recommended plugin to run regardless. Alternatively install the Tor browser.

EDIT: this article made it onto the front page of Hacker News