Vodacom ISP injecting code into our internet traffic!

dayneo

New Member
Joined
Feb 22, 2010
Messages
9
Hi guys,

I don't know if anyone has noticed, but Vodacom has started (as of Monday 23rd September 2013) injecting additional code into all html pages that are not HTTPS secured.

If you view source of any html page that you may have navigated to while connected via Vodacom, you will see the following code appended to the very end of that page:
Code:
<script language="javascript"><!--
bmi_SafeAddOnload(bmi_load,"bmi_orig_img",0);//--></script>
If you connect using a different network provider, 8ta for example, and navigate to the exact same page then you do not receive this script. This script is being deliberately injected into your web pages by Vodacom.
I have tested this on multiple computers in my office and on multiple browsers with multiple cellular providers.

My research led me to the fact that some mobile operators try to use ByteMobile to "compress" your network traffic. My current finding is that in South Africa, Vodacom is the first.

For me, this is just causing a mountain of problems. For each and every page I navigate to, I receive a popup error message:
Code:
Error: 'bmi_load' is undefined
And this script is breaking our corporate web applications too (because that script raises errors all over the place).

Also see:
http://stackoverflow.com/questions/4113268/how-to-stop-javascript-injection-from-vodafone-proxy

But in any case, my biggest gripe is that they are actively tampering with the code on the page. I just don't think that is acceptable. It's practically a man-in-the-middle attack. Where does it end?
What else are they injecting into our pages that we are not yet aware of?
Since when should they choose what resolution I want a picture?
I have already laid a complaint via email, but I know how that goes.... straight into the call centre bin.

I think that as a community we need to say NO to this sort of manipulation.
 

Batista

Executive Member
Joined
Sep 2, 2011
Messages
7,900
Wold be interesting to seee th same page loaded with vodacom and then with some other company.Do their T's and C's say anything about this?
 

dayneo

New Member
Joined
Feb 22, 2010
Messages
9
I have already tested with the different cellular providers and Vodacom is definitely the culpret.
If you navigate to any page that is not on HTTPS... take news24.com for example, and use Vodacom, then you get a script
Code:
<script src="http://1.2.3.4/bmi-int-js/bmi.js?version=1379075027" language="javascript"></script><![endif]-->
at the top of the page... followed by
Code:
<script language="javascript"><!--
bmi_SafeAddOnload(bmi_load,"bmi_orig_img",0);//-->
</script>
at the bottom of the page.

If you use any other cellular provider (try 8ta, MTN or Cell C), then these script blocks do not appear in the page.

I first noticed it because I received reports of errors on our corporate web app. When I looked at the error, I couldn't work out where the code was coming from.... then I discovered the user was using Vodacom. All the users having problems were all Vodacom users.
 

D-Boy

Senior Member
Joined
Apr 18, 2007
Messages
666
bunch of ghetto caching servers, really annoying if your a webmaster
 

dayneo

New Member
Joined
Feb 22, 2010
Messages
9
DJ, I was just reading through those posts.
I know that ISP's do caching and transfer encoding etc. but the most basic principle is that the content should be presented on the client side as exactly as it came from the source.
This is just totally unacceptable on the part of Vodacom. I WILL be porting my entire family to Cell C this weekend and I will be advising clients likewise.
 

Baxteen

Honorary Master
Joined
Feb 26, 2013
Messages
17,270
anyone else pick up that the code is supposed to be commented out? there should not be anything that displays.

the <!--- is the start of a comment string and the ---> is the end. well it is in some languages, however in JavaScript you comment with a //*

in the code above there is <!-- (2 instead of 3 -)
and there is a // that would lead me to believe that there is more to the script than what is on the page and the rest is commented out properly.

Quite interesting, it means every single request via vodacom is being redone on the ISP itself, meaning they can effectively block websites, alter content or prevent you from making posts. freedom of speech right there.

just a side note I would not port to cellC if they paid me double what I pay MTN at the moment and gave me unlimited data and calls, the network quality is just atrocious and no matter what you do you will not be connected 80% of the time
 

quovadis

Expert Member
Joined
Sep 10, 2004
Messages
4,017
"A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence."

ECT ACT No. 25 of 2002 Section 86 (2)
 

dayneo

New Member
Joined
Feb 22, 2010
Messages
9
@quovadis, are you a lawyer? How did you come up with that one?
PS. I'm not mocking/joking... If that is a real act then that's a good find....
 

PhireSide

Executive Member
Joined
Dec 31, 2006
Messages
9,665
Isn't that also in the ECT act that they are trying MagicDude for?
 

quovadis

Expert Member
Joined
Sep 10, 2004
Messages
4,017
@quovadis, are you a lawyer? How did you come up with that one?
PS. I'm not mocking/joking... If that is a real act then that's a good find....
I am not a lawyer however am very familiar with the act and yes it's from the real act. Section 86 (2) - It's whether a court would interprete it this way and how it would be argued which is the question. Of course it doesn't really matter unless an actual criminal charge is laid against Vodacom.

Isn't that also in the ECT act that they are trying MagicDude for?
Section 86 (1) is what I think they are trying with - once again, a judge will have to interpret and decide the matter - If CoJ is successful with a criminal case based on the information I've read it would have very serious ramifications.
 

dayneo

New Member
Joined
Feb 22, 2010
Messages
9
Interesting..
"A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence."

ECT ACT No. 25 of 2002 Section 86 (2)
that is in fact what the act actually says....
See http://www.info.gov.za/view/DownloadFileAction?id=68060 page 72.
Only thing is, I think that we grant them "authority" to access the "data" (aka the web page) by virtue of them being our ISP. But do I authorise them to manipulate my pages and inject scripts..... In my mind no... Will have to read the fine print on their Ts&Cs though...
 

Nerfherder

Honorary Master
Joined
Apr 21, 2008
Messages
25,019
I thought you could fix this by changing the APN ?


Frack...are they still doing it ?


*sigh*
 

|tera|

Master of Messengers
Joined
Mar 31, 2006
Messages
21,837
What about security? Banking etc.? Does this occur on internet banking sites as well?

If so, what else can they tamper with as they please?
 

dayneo

New Member
Joined
Feb 22, 2010
Messages
9
What about security? Banking etc.? Does this occur on internet banking sites as well?
No, it does not affect banking sites. Well, at least not that I find.
Banking sites (and your GMail by default) will use HTTPS protocol which prevents this type of tampering. I.e. as long as you have that little padlock in the address bar, you are safe. If you find that the padlock is crossed out, then you know something is up....
This whole issue has to do with every other web page. <-- every other web page that you access via the Vodacom network.
 
Last edited:

Ockie

Resident Lead Bender
Joined
Feb 16, 2008
Messages
50,587
Hi guys,

I don't know if anyone has noticed, but Vodacom has started (as of Monday 23rd September 2013) injecting additional code into all html pages that are not HTTPS secured.
What about security? Banking etc.? Does this occur on internet banking sites as well?

If so, what else can they tamper with as they please?
..
 

quovadis

Expert Member
Joined
Sep 10, 2004
Messages
4,017
If it is in fact their proxy/cache services which are injecting the code then section 74 (1) (A) would apply:

(a) does not modify the data;

Caching

74.
(1) A service provider that transmits data provided by a recipient of the service via an information system under its control is not liable for the automatic, intermediate and temporary storage of that data, where the purpose of storing such data is to make the onward transmission of the data more efficient to other recipients of the service upon their request, as long as the service provider—*
(a) does not modify the data;
(b) complies with conditions on access to the data;
(c) complies with rules regarding the updating of the data, specified in a manner widely recognised and used by industry;
(d) does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain information on the use of the data; and
(e) removes or disables access to the data it has stored upon receiving a take-down notice referred to in section 77.
(2) Notwithstanding this section, a competent court may order a service provider to terminate or prevent unlawful activity in terms of any other law.
 

|tera|

Master of Messengers
Joined
Mar 31, 2006
Messages
21,837
No, it does not affect banking sites. Well, at least not that I find.
Banking sites (and your GMail by default) will use HTTPS protocol which prevents this type of tampering. I.e. as long as you have that little padlock in the address bar, you are safe. If you find that the padlock is crossed out, then you know something is up....
This whole issue has to do with every other web page. <-- every other web page that you access via the Vodacom network.
Still doesn't make me feel better. Mybb isn't SSL secured, so screw you Vodacon.
 

dayneo

New Member
Joined
Feb 22, 2010
Messages
9
@|tera|, My point exactly! And additionally, their "code injection" breaks applications.

@quovadis, Possible law suite here?
 

quovadis

Expert Member
Joined
Sep 10, 2004
Messages
4,017
@quovadis, Possible law suite here?
I am not a lawyer so a proper legal opinion would have to be sought but my personal feeling would be that perhaps Vodacom should be notified and a response received in terms of why this is happening - it may be something completely innocent. A criminal case should be a last resort and regards to a form of civil law suit/class action you would have to prove actual damages.
 
Top