Telkom has rejected claims that it is employing the same techniques used by malicious hackers in so-called “man in the middle” attacks to edit code on websites in order to serve the telecommunications operator’s own content to end users.
Johannesburg-based software developer Robert MacLean warns in a recent blog post that Telkom is adding JavaScript code to websites without the permission of website owners or of Telkom customers.
The code, which MacLean says in only added on non-secure (that is, non-HTTPS) websites, is used to show subscribers to Telkom’s Internet service provider who also use its broadband ADSL service how much bandwidth they have left before they are capped.
“Telkom is very cleverly intercepting certain calls and redirecting them, so that unless you are actively looking for this, it appears transparent to the website and the user. What they are doing is watching for JavaScript files to be requested, and then appending additional code into those files,” he says. This code is then used to manipulate Web pages, he adds.
“Admittedly this is a relatively benign addition and in fact it may be seen as useful, and I can see it being sold that way to non-technical managers and executives,” MacLean writes. “Do not be fooled, though. Even this simple addition can cause major issues for you. It is impossible for Telkom to know what this addition will do to every website on the Web.”
In short, Telkom is adding JavaScript code to each page and that code could interfere with the existing code and Web pages in unforeseen ways and ultimately can break a Web page, MacLean says. “The sheer size and complexity of the Internet says that it is impossible for them to know for sure that they are not breaking a single website.”
Telkom, he says, is exposing its users to potential security risks, which he explains in greater technical detail in his blog post.
Worse still, he says, having a server that can manipulate what traffic users are sending and receiving provides a “very easy point for someone to capture traffic” and see what Telkom’s users are doing on the Internet.
“While I am sure they will tell you they take security very seriously and that they do not allow that type of access to employees, what is stopping an executive at a later stage from using this to prevent adverts from MTN showing up or causing Web pages that support the EFF or the DA to not load at all? Nothing, and they have the power to do that, without oversight and without your permission. Do you trust Telkom enough to not abuse that?”
Lastly, the image displayed on users’ screens, alerting them of how much bandwidth they have left, is an extra overhead. “They are making you download more than 84,8kB of extra code and 120kB of extra images, plus the manipulation of the Web page slows down rendering,” MacLean writes. “In short, they are making the Web slower for you and helping use more of your bandwidth.”
Asked to respond to MacLean’s claims, Telkom has denied that it is using a technique similar to a “man in the middle” attack.
“In technical terms, we refer to it as an HTTP redirect, which injects JavaScript to overlay the [bandwidth usage] notification once the pre-determined threshold has been reached,” Telkom says.
“HTTP redirect is a common mechanism used in service provider networks for content caching and to optimise video streaming and does not alter the Web service content. In this instance, it overlays a notification on usage that can be done on SMS or e-mail as well.
“The in-browser notification has been purpose-built to inform the customer when they have reached 100% of the service threshold on their ‘soft cap’ product. As a result, it does not interfere with the customer’s browsing, is not a security risk, will not ‘break’ a website and poses no threat to the browser’s privacy. Telkom places the highest priority on the security and privacy of its customers.” — © 2015 NewsCentral Media