Vodacom ISP injecting code into our internet traffic!

[dayneo]

Hi guys,

I don't know if anyone has noticed, but Vodacom has started (as of Monday 23rd September 2013) injecting additional code into all html pages that are not HTTPS secured.

If you view source of any html page that you may have navigated to while connected via Vodacom, you will see the following code appended to the very end of that page:

<script language="javascript"><!--
bmi_SafeAddOnload(bmi_load,"bmi_orig_img",0);//--></script>

If you connect using a different network provider, 8ta for example, and navigate to the exact same page then you do not receive this script. This script is being deliberately injected into your web pages by Vodacom.
I have tested this on multiple computers in my office and on multiple browsers with multiple cellular providers.

My research led me to the fact that some mobile operators try to use ByteMobile to "compress" your network traffic. My current finding is that in South Africa, Vodacom is the first.

For me, this is just causing a mountain of problems. For each and every page I navigate to, I receive a popup error message:

Error: 'bmi_load' is undefined

And this script is breaking our corporate web applications too (because that script raises errors all over the place).

Also see:
http://stackoverflow.com/questions/4113268/how-to-stop-javascript-injection-from-vodafone-proxy

But in any case, my biggest gripe is that they are actively tampering with the code on the page. I just don't think that is acceptable. It's practically a man-in-the-middle attack. Where does it end?
What else are they injecting into our pages that we are not yet aware of?
Since when should they choose what resolution I want a picture?
I have already laid a complaint via email, but I know how that goes.... straight into the call centre bin.

I think that as a community we need to say NO to this sort of manipulation.

 

[Batista]

Wold be interesting to seee th same page loaded with vodacom and then with some other company.Do their T's and C's say anything about this?

 

[dayneo]

I have already tested with the different cellular providers and Vodacom is definitely the culpret.
If you navigate to any page that is not on HTTPS... take news24.com for example, and use Vodacom, then you get a script

<script src="http://1.2.3.4/bmi-int-js/bmi.js?version=1379075027" language="javascript"></script><![endif]-->

at the top of the page... followed by

<script language="javascript"><!--
bmi_SafeAddOnload(bmi_load,"bmi_orig_img",0);//-->
</script>

at the bottom of the page.

If you use any other cellular provider (try 8ta, MTN or Cell C), then these script blocks do not appear in the page.

I first noticed it because I received reports of errors on our corporate web app. When I looked at the error, I couldn't work out where the code was coming from.... then I discovered the user was using Vodacom. All the users having problems were all Vodacom users.

 

[DJ...]

They've been injecting code into your traffic for a long time now. They said it was over...on numerous occasions...

http://mybroadband.co.za/vb/showthread.php/441257-Vodacom-throttling-image-quality-on-3G
http://mybroadband.co.za/vb/showthread.php/16723-A-warning-to-all-potential-Vodacom-3G-clients

 

[D-Boy]

bunch of ghetto caching servers, really annoying if your a webmaster

 

[dayneo]

DJ, I was just reading through those posts.
I know that ISP's do caching and transfer encoding etc. but the most basic principle is that the content should be presented on the client side as exactly as it came from the source.
This is just totally unacceptable on the part of Vodacom. I WILL be porting my entire family to Cell C this weekend and I will be advising clients likewise.

 

[Baxteen]

anyone else pick up that the code is supposed to be commented out? there should not be anything that displays.

the <!--- is the start of a comment string and the ---> is the end. well it is in some languages, however in JavaScript you comment with a //*

in the code above there is <!-- (2 instead of 3 -)
and there is a // that would lead me to believe that there is more to the script than what is on the page and the rest is commented out properly.

Quite interesting, it means every single request via vodacom is being redone on the ISP itself, meaning they can effectively block websites, alter content or prevent you from making posts. freedom of speech right there.

just a side note I would not port to cellC if they paid me double what I pay MTN at the moment and gave me unlimited data and calls, the network quality is just atrocious and no matter what you do you will not be connected 80% of the time

 

[quovadis]

"A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence."

ECT ACT No. 25 of 2002 Section 86 (2)

 

[dayneo]

@quovadis, are you a lawyer? How did you come up with that one?
PS. I'm not mocking/joking... If that is a real act then that's a good find....

 

[PhireSide]

Isn't that also in the ECT act that they are trying MagicDude for?

 

[quovadis]

@quovadis, are you a lawyer? How did you come up with that one?
PS. I'm not mocking/joking... If that is a real act then that's a good find....

I am not a lawyer however am very familiar with the act and yes it's from the real act. Section 86 (2) - It's whether a court would interprete it this way and how it would be argued which is the question. Of course it doesn't really matter unless an actual criminal charge is laid against Vodacom.

Isn't that also in the ECT act that they are trying MagicDude for?

Section 86 (1) is what I think they are trying with - once again, a judge will have to interpret and decide the matter - If CoJ is successful with a criminal case based on the information I've read it would have very serious ramifications.

 

[dayneo]

Interesting..

"A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence."

ECT ACT No. 25 of 2002 Section 86 (2)

that is in fact what the act actually says....
See http://www.info.gov.za/view/DownloadFileAction?id=68060 page 72.
Only thing is, I think that we grant them "authority" to access the "data" (aka the web page) by virtue of them being our ISP. But do I authorise them to manipulate my pages and inject scripts..... In my mind no... Will have to read the fine print on their Ts&Cs though...

 

[Nerfherder]

I thought you could fix this by changing the APN ?


Frack...are they still doing it ?


*sigh*

 

[|tera|]

What about security? Banking etc.? Does this occur on internet banking sites as well?

If so, what else can they tamper with as they please?

 

[dayneo]

What about security? Banking etc.? Does this occur on internet banking sites as well?

No, it does not affect banking sites. Well, at least not that I find.
Banking sites (and your GMail by default) will use HTTPS protocol which prevents this type of tampering. I.e. as long as you have that little padlock in the address bar, you are safe. If you find that the padlock is crossed out, then you know something is up....
This whole issue has to do with every other web page. <-- every other web page that you access via the Vodacom network.

 

[Ockie]

Hi guys,

I don't know if anyone has noticed, but Vodacom has started (as of Monday 23rd September 2013) injecting additional code into all html pages that are not HTTPS secured.

What about security? Banking etc.? Does this occur on internet banking sites as well?

If so, what else can they tamper with as they please?

..

 

[quovadis]

If it is in fact their proxy/cache services which are injecting the code then section 74 (1) (A) would apply:

(a) does not modify the data;

Caching

74.
(1) A service provider that transmits data provided by a recipient of the service via an information system under its control is not liable for the automatic, intermediate and temporary storage of that data, where the purpose of storing such data is to make the onward transmission of the data more efficient to other recipients of the service upon their request, as long as the service provider—*
(a) does not modify the data;
(b) complies with conditions on access to the data;
(c) complies with rules regarding the updating of the data, specified in a manner widely recognised and used by industry;
(d) does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain information on the use of the data; and
(e) removes or disables access to the data it has stored upon receiving a take-down notice referred to in section 77.
(2) Notwithstanding this section, a competent court may order a service provider to terminate or prevent unlawful activity in terms of any other law.

 

[|tera|]

No, it does not affect banking sites. Well, at least not that I find.
Banking sites (and your GMail by default) will use HTTPS protocol which prevents this type of tampering. I.e. as long as you have that little padlock in the address bar, you are safe. If you find that the padlock is crossed out, then you know something is up....
This whole issue has to do with every other web page. <-- every other web page that you access via the Vodacom network.

Still doesn't make me feel better. Mybb isn't SSL secured, so screw you Vodacon.

 

[dayneo]

@|tera|, My point exactly! And additionally, their "code injection" breaks applications.

@quovadis, Possible law suite here?

 

[quovadis]

@quovadis, Possible law suite here?

I am not a lawyer so a proper legal opinion would have to be sought but my personal feeling would be that perhaps Vodacom should be notified and a response received in terms of why this is happening - it may be something completely innocent. A criminal case should be a last resort and regards to a form of civil law suit/class action you would have to prove actual damages.