AT&T Wi-Fi hotspot caught injecting ads into Web pages

AT&T is partnering with a third-party company to inject ads into a user's browser in at least one location.

Yet another major public hotspot provider has been caught injecting ads into user’s browser.

AT&T, which offers public Wi-Fi hotspots across the U.S., was caught putting ads on websites in unusual places by Jonathan Mayer, a lawyer and Ph.D. candidate in computer science at Stanford University. AT&T had not responded to our request for comment at this writing.

Mayer was at Dulles Airport last week when he noticed Stanford’s site suddenly showing ads for jewelry and AT&T services—ads that he’d never seen on the university site before. Other sites were also showing ads in odd spots, Mayer said.

It appears AT&T was partnering with a third-party company RaGaPa that specializes in “HotSpot Branding.” The service would add three different bits of code into a browser tab to inject unauthorized ads on a site, including a backup ad in case a particular browser wouldn’t run JavaScript.

hotspot 1 Screenshot

An example of an ad injected over the FCC's website while on an AT&T free airport Wi-Fi hotspot.

The problem with injecting ads where they shouldn’t be is that they can introduce security issues where previously there were none. Mayer also argues that this behavior can break sites and expose a user’s browser activity to “an undisclosed” third-party—RaGaPa in this case.

It’s not clear if AT&T’s Dulles hotspot was just one part of a small pilot project or if this kind of ad injection is active across AT&T’s entire Wi-Fi network.

The story behind the story: Injecting unwanted ads into user’s browsers has been something of an issue in recent years. In September 2014, Comcast was also caught injecting ads at its public hotspots for the company’s own services. In 2012, the Marriott hotel chain was doing something similar. Nearly 200 shady Chrome extensions were also into the practice, which Google began clamping down on in April.

It’s fixable

The good news is there’s a quick fix for those who regularly use AT&T Wi-Fi hotspots or anywhere else you discover ad injection. Download the browser extension HTTPS Everywhere from the Electronic Frontier Foundation. HTTPS Everywhere works with Chrome, Firefox, and Opera, and forces your browser to use an HTTPS encrypted connection with any site that offers one. Ad injection practices like RaGaBa’s cannot affect HTTPS encrypted sites.

It is also wise to connect to a virtual private network (VPN) when using public Wi-Fi to protect yourself against malicious activity such as man-in-the-middle attacks that often try to fool you into handing over personal data such as site login information.

This story, "AT&T Wi-Fi hotspot caught injecting ads into Web pages" was originally published by PCWorld.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.