Comcast, your friendly, neighborhood internet service provider, has started sneaking in promotional ads to devices connected to one of its 3.5 million WiFi hotspots around the U.S. How does it do it? By injecting Javascript directly into the Web pages you're browsing.

The purpose of these ads, ostensibly, is to "alert customers that they're connected to Comcast's Xfinity service" according to a Comcast spokesperson who spoke to Ars Technica. Presumably because we can't figure out which WiFi network we're connected to unless there's a honking ad on the screen. "We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," he says.

The ads appear every seven minutes and last for a few seconds, just enough to be sufficiently annoying, before trailing away. Here's what the experience is like, according to Ryan Singel, the co-founder of Contextly:

A small red advertisement saying "XFINITY WiFi Peppy" scooted across the bottom of [the page] and disappeared into the ether. It happened a few times, he said. Singel took screen shots of the advertisement loading and as it appeared on his screen. He captured some code, too.

"When a user requests to view a page, Comcast injects its JavaScript into the packets being returned by the real server," Singel said.


Naturally, this raises some security red flags. Javascript can be used to seriously fuck up a system, including controlling authentication cookies and redirecting where use data is submitted. And even if Comcast may not be actively trying to put malware on your devices, the interaction of Javascript with websites could "create" security vulnerabilities in them, Seth Schoen, the senior staff technologist for the EFF, tells Ars [Ars Technica]