Comcast Injects Unwanted Ads Into Websites Accessed With XFinity Public WiFi Hotspots

News Consumer Protection

Comcast Injects Unwanted Ads Into Websites Accessed With XFinity Public WiFi Hotspots

In a stealth move, one of the largest internet service providers could be tainting your websites with unwanted ads and malicious code. Sound dramatic? Comcast, as part of the recent launch of its XFinity public WiFi hotspots, is inserting ads of its services across various websites, unbeknownst to the website owners.

The ads usually display across the bottom of the page and advertise Comcast’s services, including reminders to customers to download XFinity’s mobile apps. According to a report made available by Ars Technica, Comcast says that the ads alert users that they are connecting via an official XFinity hotspot. This proves tricky as any hacker can create a designed to look just like a Comcast hotspot, tricking unsuspecting users into sending their credentials and personal information to an unknown source.

Injecting ads via Javascript into a site where the particular code doesn’t normally appear isn’t a great idea either. The code could create unintended security vulnerabilities for a malicious individual to exploit and make sites that were previously secure vulnerable to attack. Although JavaScript is used widely throughout the web community, your browser can have a hard time determining the difference between good and bad code.

Comcast reassures users that the ads only appear when using XFinity public hotspots, and do not apply to websites accessed by a Comcast WiFi router at home. Either way, this practice cuts to the core of the net neutrality debate, as the FCC is currently determining policies that could include provisions stating broadband providers must deliver broadband without injecting any data packets.

How can you prevent being victim of a malicious attack? Connecting to WPA2-Enterprise and authenticating via 802.1X ensures network traffic is encrypted and secure. You should also access sites using HTTPs encryption, meaning only your browser and the server can decrypt the traffic.