AT&T Wi-Fi hotspot caught injecting ads into web pages
AT&T is partnering with a third-party company to inject ads into a user's browser in at least one location.
By Ian Paul
PCWorldAug 26, 2015 11:32 am PDT
Yet another major public hotspot provider has been caught injecting ads into user’s browser.
AT&T, which offers public Wi-Fi hotspots across the U.S., was caught putting ads on websites in unusual places by Jonathan Mayer, a lawyer and Ph.D. candidate in computer science at Stanford University.
Mayer was at Dulles Airport last week when he noticed Stanford’s site suddenly showing ads for jewelry and AT&T services—ads that he’d never seen on the university site before. Other sites were also showing ads in odd spots, Mayer said.
UPDATE:An AT&T spokesperson sent PCWorld the following statement:
“We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast.”
The problem with injecting ads where they shouldn’t be is that they can introduce security issues where previously there were none. Mayer also argues that this behavior can break sites and expose a user’s browser activity to “an undisclosed” third-party—RaGaPa in this case.
The good news is there’s a quick fix for any hotspot where you discover ad injection. Download the browser extension HTTPS Everywhere from the Electronic Frontier Foundation. HTTPS Everywhere works with Chrome, Firefox, and Opera, and forces your browser to use an HTTPS encrypted connection with any site that offers one. Ad injection practices like RaGaBa’s cannot affect HTTPS encrypted sites.
It is also wise to connect to a virtual private network (VPN) when using public Wi-Fi to protect yourself against malicious activity such as man-in-the-middle attacks that often try to fool you into handing over personal data such as site login information.
This article was updated at 11:27 AM Pacific on Wednesday, August 26 with a statement from AT&T.