AT&T caught injecting web ads through free Wi-Fi hotspots

What price is free? In the case of Windows 10, many argue that it means giving up a little of your privacy, and it seems that AT&T's free Wi-Fi hotspots also come with a hidden payload.

Whilst visiting Dulles Airport, computer scientist Jonathan Mayer noticed that "the web had sprouted ads. Lots of them, in places they didn’t belong".

With time to kill waiting for a flight, Mayer set about investigating where these extra ads were coming from. It didn’t take long for him to discover that the AT&T hotspot he was connected to was the problem. He found that the hotspot was injecting a stylesheet which in turn pulled in advertising. But it didn’t end there...

Just to make sure that ads are delivered, AT&T's injected code displays ads using JavaScript and non-JavaScript methods. Writing about his experience, Mayer suggests that as well as being irritating for web users, the ad-injection also poses a security risk. A key concern is that web traffic and activity are exposed to unknown third parties. The injected code pulls in ads from a company called RaGaPa, but it is worth noting that the ad-injection system only works for HTTP traffic as it is not possible to tamper with secure HTTPS traffic.

While AT&T's terms of services do not make explicit reference to ad-injection, Mayer points to one clause which could cover it:

We may also enable certain technologies intended to improve your experience, maintain network security, and/or optimise network utilisation that may generate records regarding the websites you visit and search terms you enter while using the Service.

Mayer is a lawyer and is aware that the subject of ad-injection is a "messy one". He says:

Regardless of where the law is, AT&T should immediately stop this practice. And if websites needed (yet another) reason to adopt HTTPS, here’s a good one.

Photo credit: Rob Wilson / Shutterstock