Yet another major public hotspot provider has been caught injecting ads into user’s browser.
AT&T, which offers public Wi-Fi hotspots across the U.S., was caught putting ads on websites in unusual places by Jonathan Mayer, a lawyer and Ph.D. candidate in computer science at Stanford University.
Mayer was at Dulles Airport last week when he noticed Stanford’s site suddenly showing ads for jewelry and AT&T services—ads that he’d never seen on the university site before. Other sites were also showing ads in odd spots, Mayer said.
It appears AT&T was partnering with a third-party company RaGaPa that specializes in “HotSpot Branding.” The service would add three different bits of code into a browser tab to inject unauthorized ads on a site, including a backup ad in case a particular browser wouldn’t run JavaScript.
UPDATE: An AT&T spokesperson sent PCWorld the following statement:
“We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast.”
Screenshot An example of an ad injected over the FCC’s website while on an AT&T free airport Wi-Fi hotspot.
The problem with injecting ads where they shouldn’t be is that they can introduce security issues where previously there were none. Mayer also argues that this behavior can break sites and expose a user’s browser activity to “an undisclosed” third-party—RaGaPa in this case.
The story behind the story: Injecting unwanted ads into user’s browsers has been something of an issue in recent years. In September 2014, Comcast was also caught injecting ads at its public hotspots for the company’s own services. In 2012, the Marriott hotel chain was doing something similar. Nearly 200 shady Chrome extensions were also into the practice, which Google began clamping down on in April.
It’s fixable
The good news is there’s a quick fix for any hotspot where you discover ad injection. Download the browser extension HTTPS Everywhere from the Electronic Frontier Foundation. HTTPS Everywhere works with Chrome, Firefox, and Opera, and forces your browser to use an HTTPS encrypted connection with any site that offers one. Ad injection practices like RaGaBa’s cannot affect HTTPS encrypted sites.
It is also wise to connect to a virtual private network (VPN) when using public Wi-Fi to protect yourself against malicious activity such as man-in-the-middle attacks that often try to fool you into handing over personal data such as site login information.
This article was updated at 11:27 AM Pacific on Wednesday, August 26 with a statement from AT&T.