Telkom denies putting Web users at risk - TechCentral

Telkom denies putting Web users at risk

ethernet-640

Telkom has rejected claims that it is employing the same techniques used by malicious hackers in so-called “man in the middle” attacks to edit code on websites in order to serve the telecommunications operator’s own content to end users.

Johannesburg-based software developer Robert MacLean warns in a recent blog post that Telkom is adding JavaScript code to websites without the permission of website owners or of Telkom customers.

The code, which MacLean says in only added on non-secure (that is, non-HTTPS) websites, is used to show subscribers to Telkom’s Internet service provider who also use its broadband ADSL service how much bandwidth they have left before they are capped.

“Telkom is very cleverly intercepting certain calls and redirecting them, so that unless you are actively looking for this, it appears transparent to the website and the user. What they are doing is watching for JavaScript files to be requested, and then appending additional code into those files,” he says. This code is then used to manipulate Web pages, he adds.

“Admittedly this is a relatively benign addition and in fact it may be seen as useful, and I can see it being sold that way to non-technical managers and executives,” MacLean writes. “Do not be fooled, though. Even this simple addition can cause major issues for you. It is impossible for Telkom to know what this addition will do to every website on the Web.”

In short, Telkom is adding JavaScript code to each page and that code could interfere with the existing code and Web pages in unforeseen ways and ultimately can break a Web page, MacLean says. “The sheer size and complexity of the Internet says that it is impossible for them to know for sure that they are not breaking a single website.”

Telkom, he says, is exposing its users to potential security risks, which he explains in greater technical detail in his blog post.

Worse still, he says, having a server that can manipulate what traffic users are sending and receiving provides a “very easy point for someone to capture traffic” and see what Telkom’s users are doing on the Internet.

This screenshot shows the Telkom Internet notification (image c/o Robert MacLean)

This screenshot shows the Telkom Internet notification (image c/o Robert MacLean)

“While I am sure they will tell you they take security very seriously and that they do not allow that type of access to employees, what is stopping an executive at a later stage from using this to prevent adverts from MTN showing up or causing Web pages that support the EFF or the DA to not load at all? Nothing, and they have the power to do that, without oversight and without your permission. Do you trust Telkom enough to not abuse that?”

Lastly, the image displayed on users’ screens, alerting them of how much bandwidth they have left, is an extra overhead. “They are making you download more than 84,8kB of extra code and 120kB of extra images, plus the manipulation of the Web page slows down rendering,” MacLean writes. “In short, they are making the Web slower for you and helping use more of your bandwidth.”

Asked to respond to MacLean’s claims, Telkom has denied that it is using a technique similar to a “man in the middle” attack.

“In technical terms, we refer to it as an HTTP redirect, which injects JavaScript to overlay the [bandwidth usage]notification once the pre-determined threshold has been reached,” Telkom says.

“HTTP redirect is a common mechanism used in service provider networks for content caching and to optimise video streaming and does not alter the Web service content. In this instance, it overlays a notification on usage that can be done on SMS or e-mail as well.

“The in-browser notification has been purpose-built to inform the customer when they have reached 100% of the service threshold on their ‘soft cap’ product. As a result, it does not interfere with the customer’s browsing, is not a security risk, will not ‘break’ a website and poses no threat to the browser’s privacy. Telkom places the highest priority on the security and privacy of its customers.”  — © 2015 NewsCentral Media

  • AnRkey

    Sjoe Telkom, dodgy as hell!

  • CharlieTango

    “Do you trust Telkom enough..” – I don’t think so, not when its CEO is in court for allegedly cloning his number plate.

  • ranger@mybroadband

    It is obvious that Telkom has spent some effort on this, and they don’t seem to be using the functionality maliciously (you seem to claim that because they can do something bad, they will, yet you don’t seem to have any evidence that they are or plan to).

    Did the author bother to ask them why? It doesn’t seem so, and as such the article seems poorly researched and very biased/one-sided.

    “Even this simple addition can cause major issues for you.”

    Can you provide some examples?

  • This type of “feature”, if really necessary, should be opt in. I am not a customer so don’t know if this is the case. If you love and trust Telkom to not abuse it, by all means switch it on. What makes me uncomfortable is the implication that you have no choice.

  • Ranger, the fact that you are a technical person (or at least seem to be from all your posts here and on MyBB), I am disappointed in your response, especially the last 2 lines. And it is not up to anyone to provide proof, but Telkom. They must prove that their unwanted code injection will have no side effects whatsoever on the pages they are being injected into, and not the other way around. This “service” should also be opt-in, and should not be forced on people. Even enabling it by default but allowing people to opt out is a no-no, as the majority of users are clueless when it comes to such things. It must be strictly opt-in.

    Also, the fact that you are a Telkom employee, renders your response somewhat biased.

  • William Stucke

    > how much bandwidth they have left before they are capped

    Come, come, Duncan. Your bandwidth is the speed of your connection. That doesn’t normally change
    What you mean to say is “how much _TRAFFIC_ they have left before they are capped”
    Traffic is a measure of volume. Bandwidth is a measure of speed. You’re not the first to have confused the two 😉

  • ranger@mybroadband

    You can opt out. The whole point is to reach customers who don’t know where to configure email or SMS notifications, so making it opt-in would defeat the purpose, of ensuring that customers get notifications and ensuring they know where to find the notification settings.

    Read the text of the notification, it says: “Click … to change notification settings”. If you click the link, you get to their existing application where you can enable email/SMS notifications, and disable the browser notifications.

  • ranger@mybroadband

    “They must prove that their unwanted code injection will have no side
    effects whatsoever on the pages they are being injected into, and not
    the other way around.”

    Any competent web developer can verify this themselves. The feature works by adding some javascript that does simple DOM manipulation. If your browser supports DOM manipulation, it will work, if it doesn’t there will be no impact at all.

    We tested the feature extensively for weeks (I personally browsed the internet from all my personal devices for 2 weeks with the notifications showing all the time) and were unable to find any sites that were negatively affected.

    “This “service” should also be opt-in, and should not be forced on people”

    The objective is to reach people who currently have no notifications, most likely due to them not knowing where to enable notifications (and having signed up before we started auto-enabling email/SMS notifications). Making it opt-in would defeat the point.

    The objectives were to prevent customer frustration, as well as reduce the number of calls and call-outs due to customers whose internet is slow because they have reached their quota, and ensure they can find where to view their usage and enable notifications, at which point they can disable the in-browser notifications.

    I agree I am biased, but authors of a news article in a publication/site that aims to be a reputable news site should adhere to higher standards than a techie who tries to provide more insight on Telkom does.

  • I AM a web developer, and I can guarantee you that there are sites that your code will break. I could write one up, after looking at your code, and formulate my website and Javacsript to misbehave when your code is run. There is no way to ensure that your JavaScript code won’t interfere with the millions of other snippets of JavaScript code on the web. 1 (or even 10,000) users testing it for a few weeks means nothing to the vastness of the the web.

    The point is, no 3rd party should be injecting any sort of code into any website that is not their own, unless they get express permission to do so, from both the website owner, and the end-user.

    If Telkom wants to notify users, they can send an email or SMS, or develop a smartphone app that will push notifications to the user once their limit is reached.