Comcast Under Fire For Web Traffic Message Injection

Every so often, somebody notices the fact that Comcast injects messages to customers into browsing data streams and has a good, old fashioned freak out about it. The company was criticized last year for injecting copyright infringement warning into data streams, and also earlier this year for injected traffic messages warning customers that they may need to upgrade their network hardware. Usually the complaints bubble over, Comcast points out they've been doing this sort of thing for years, and things quiet down again.

That said, many folks continue to point out Comcast's behavior isn't a good idea.

iOS developer Chris Dzombak this week penned a blog post (complete with handy Comcast popup) noting how these injections have spiked as Comcast continues expanding the company's utterly unnecessary usage caps. The notifications alert users to when they're getting close to their monthly usage allotment, but Dzombak points out that this behavior creates a wonderful new opportunity for man in the middle phishing attacks.

"Any website could present its users an in-page dialog which looks similar to these Comcast alerts," he notes. "The notification’s content could be entirely controlled by criminals hoping to harvest users’ Comcast account login information. This would give an attacker access to users’ email, which is a gateway to reset the user’s passwords on most other sites — remember, most password recovery mechanisms revolve around access to an email account."

He also points out that training customers to view this sort of ISP traffic interference as normal reduces their skepticism to similar attacks that appear to be originating with their ISP.

Comcast VP of Engineering Jason Livingood has often stopped by our forums to note that Comcast has been notifying customers with aging modems in this fashion since 2013 or so. In these sorts of posts he's quick to point out that Comcast filed an RFC in 2011 explaining the behavior. But that doesn't somehow make it acceptable, notes Dzombak.

"Comcast has submitted an informational RFC (6108) to the IETF documenting how this content injection system works," he complains. "This appears to be a shady effort to capitalize on the perceived legitimacy that pointing to an RFC gives you." He proceeds to note that "publishing a memo that says you plan to do something, doesn’t mean that the thing you’re doing is acceptable."

Livingood addressed some of Dzombak's concerns on Twitter last month, saying his "points are fair," but not really saying how Comcast intends to address the potential issue these injections raise.

"This is a reckless practice by Comcast which puts its customers at risk," argues the developer. "These notifications are a terrible, dangerous idea. I urge Comcast to reconsider its use of this notification system, for the safety of its customers."

Granted this is an issue that may automatically be put to bed as more and more websites embrace encryption, since Comcast can't inject content into encrypted communications.