AT&T Wi-Fi hotspot caught injecting ads into web pages
AT&T, which offers public Wi-Fi hotspots across the U.S., was caught putting ads on websites in unusual places by Jonathan Mayer, a lawyer and Ph.D. candidate in computer science at Stanford University. AT&T had not responded to our request for comment at this writing.
Mayer was at Dulles Airport last week when he noticed Stanford’s site suddenly showing ads for jewelry and AT&T services—ads that he’d never seen on the university site before. Other sites were also showing ads in odd spots, Mayer said.
It appears AT&T was partnering with a third-party company RaGaPa that specializes in “HotSpot Branding.” The service would add three different bits of code into a browser tab to inject unauthorized ads on a site, including a backup ad in case a particular browser wouldn’t run JavaScript.
The problem with injecting ads where they shouldn’t be is that they can introduce security issues where previously there were none. Mayer also argues that this behavior can break sites and expose a user’s browser activity to “an undisclosed” third-party—RaGaPa in this case.
It’s not clear if AT&T’s Dulles hotspot was just one part of a small pilot project or if this kind of ad injection is active across AT&T’s entire Wi-Fi network.
The story behind the story: Injecting unwanted ads into user’s browsers has been something of an issue in recent years. In September 2014, Comcast was also caught injecting ads at its public hotspots for the company’s own services. In 2012, the Marriott hotel chain was doing something similar. Nearly 200 shady Chrome extensions were also into the practice, which Google began clamping down on in April.
The good news is there’s a quick fix for those who regularly use AT&T Wi-Fi hotspots or anywhere else you discover ad injection. Download the browser extension HTTPS Everywhere from the Electronic Frontier Foundation. HTTPS Everywhere works with Chrome, Firefox, and Opera, and forces your browser to use an HTTPS encrypted connection with any site that offers one. Ad injection practices like RaGaBa’s cannot affect HTTPS encrypted sites.
It is also wise to connect to a virtual private network (VPN) when using public Wi-Fi to protect yourself against malicious activity such as man-in-the-middle attacks that often try to fool you into handing over personal data such as site login information.