10 months ago
tl;dr: My ISP, Access Media 3 has started injecting tracking cookies into html packets going through their network and are potentially making money from tracking their customers.
EDIT July 2014: AM3 got back to me and admitted that this is all true.. and worse.. they admitted to replacing ads from other ad networks with their own. Will have a follow up blog post soon.
About a week ago I started noticing something strange. I was viewing YouTube and saw a white bar (pictured below) at the top of the page. I didn’t think much of it until I visited StackOverflow and saw the exact same white bar.
Upon further inspection it turns out this ‘random script’ had been injected by a <script> tag in the header. I looked at some other sites and noticed the same script being inserted almost everywhere. Here is what it looks like:
I realized that the only sites that weren’t affected were those using https rather than http. This makes sense, you can’t inject code into https because it is encrypted.
The effect of this script was to add an iframe to YouTube and StackOverflow however other pages (including ones I’ve built myself) had no injected iframes and only the script tags in the <head>. My theory is that this is related to sites that provide ads however I have not confirmed this.
tl;dr: The iframe is coming from Ad-vantage Networks.
So who is injecting the code?
My initial thoughts were that it was just a simple Chrome extension. So I checked the site on Firefox and my Nexus… same result. I plugged in my ethernet cord to rule out my wireless router… same result. Same white bar at the top of YouTube. I switched my Nexus over to 3G and voila! The white bar disappeared. Something in between my wall and YouTube was injecting this code.
I ran mtr to see if there were any suspicious hops that my packets were routing through and this was the result:
Nothing out of the ordinary, at least to my untrained eye (I’m by no means a networks expert).
Plot twist time
Around the same time that I started seeing this injected code I was building a Node.js website and noticed a weird change in behavior. Usually when my node server was off and I accidentally hit its url I received the standard Chrome “This webpage is not available” page. With no change on my behalf, I started seeing different error pages as shown below.
At the time I didn’t think much of it at all. Now I believe it shows the vital clue in this whole situation. But before figuring that out I did some more research into what MediaShift did. Here’s a slide from their front page that was particularly interesting. Internet network providers you say? I dug further into their site and found their list of partners.
After looking through these providers for more info I found the final piece of the puzzle. RGNets.com‘s main product is the rXg box. Look back to that new error page I was seeing. Here is the fine print:
Generated Sat, 04 Jan 2014 23:52:15 GMT by va-bbg-core-rxg2.am3wireless.com (squid/3.3.3)
Notice three interesting points:
- The machine seems to be an rXg made by RGNets.com
- Its owned by am3, Access Media 3, my ISP
- It is a squid server
Some research into squid servers shows this ability. Most interestingly the ability to “Add, remove, or modify an HTTP header field (e.g., Cookie)”. Which is exactly the injection I was seeing.
I’m certainly not ok with this at all, and I assume most people wouldn’t be. I skimmed through my Access Media contract and they do mention they have the right to ‘monitor’ the traffic across their network, however if by monitor they mean ‘conduct XSS injections against every user’ I know a lot of people will not be happy, especially with the current state of affairs regarding internet security and tracking.
Apparently similar behavior has been reported before by other ISPs:
I’ve sent an email to Access Media so we’ll see what their response is.Comments on reddit