Update 1 – Vodafone Script Injection,
Update 2 – Cease & Desist Notice to Thejesh,
Update 3 – Airtel Statement (see at end of post)
You wouldn’t believe it even if you are not a loyal Airtel user. We were not expecting such behavior from Airtel either, but the truth is truth. Airtel is now being accused of secretly injecting Javascript, and iframes into the web browser and is trying to alter the browsing experience.
We are not sure if Airtel is doing it deliberately or it is due to some technical glitch. It might also happen if the user who reported this anomaly was using some kind of proxy while using Airtel 3G and the scripts were inserted as some kind of web optimizations. But according to Thejesh GN, an the InfoActivist and programmer, Airtel is inserting JavaScripts into user browsing sessions. Check out these screenshots shared by him.
This injection of scripts without user consent is a highly unethical thing.
According to a GitHub thread, Airtel is also inserting the iframe into the browser forcibly.
As reported on the GitHub thread, the inserted iframe tries to insert a toolbar into the browsing session.
It is worth noting the parent URL of both the iframe and the javascript (223.224.131.144) belongs to Bharti Airtel, Bangalore. As per the GitHub thread that URL leads to the following web page of Flash Networks, but it gave us a 404 when we tried to open it.
We were certainly not expecting an ISP like Airtel to come to this for collecting user data from the browser. Getting user data is like hitting a gold mine these days. Internet companies, ad companies, and intelligence agencies are willing to pay any price for getting such personal info.
If it is proved that Airtel is doing this purposely then it can soon land up in the court of law.
PS: Airtel has already been condemned nationwide for violating net neutrality via its Airtel Zero platform, and it certainly won’t be in the best interest of the company to do such a malicious thing.
We have contacted Airtel for a word about this and we’ll update the post as soon as they give some clarification.
It looks like even Vodafone has been accused of doing the same. One of our readers, Dayson Pais pointed us out on Facebook that Vodafone does this when the user is connected through USB dongle.
He also showed us a screenshot of the same. here it is.
The encircled script is essentially inserted when users browse through their USB dongle. Vodafone around the globe has been accused of doing so, You can check this, this, this and this
If Vodafone and Airtel are doing it, chances are that other telecom operators may be doing the same. If you come across something like this with your mobile operator, do let us know.
The person – Thejesh G N – who exposed the Airtel Javascript injection has now got a legal Cease & Desist letter. The interesting part is that it has not been sent by Airtel but by Flash Networks, Ltd., a company based out of Herzliya, Israel, via their attorneys in Mumbai. This is the company who have created that Javascript that has been inserted in Airtel user’s browsers.
The C&D order mentions that Thejesh has illegally uploaded that script to Github, as it is proprietary to them. The C&D letter was uploaded by Thejesh on Archive.org site and here is the full copy of the same.
The letter clearly states that Flash Networks has created the Javascript that get’s injected by mobile operators for their 3G network against payment of royalties and/or license fees.
Flash Networks also sent a DMCA takedown notice to Github where the Javascript was uploaded and as of writing this update, it has been pulled down. Here is the notice that Flash Networks sent.
As of writing this, we have not received any communication from Airtel. We will update this post as soon as we have more to share.
Airtel representatives have got back to us with their statement. They are stating that it is a standard procedure which many telco’s globally adopt. Here is their statement in full.
“This is a standard solution deployed by telcos globally to help their customers keep track of their data usage in terms of mega bytes used. It is therefore meant to improve customer experience and empower them to manage their usage. One of our network vendor partners has piloted this solution through a third party to help customers understand their data consumption in terms of volume of data used. As a responsible corporate, we have the highest regard for customer privacy and we follow a policy of zero tolerance with regard to the confidentiality of customer data.
We are also surprised at the Cease & Desist notice served by Flash Networks to Thejesh GN, and categorically state that we have no relation, whatsoever, with the notice.”
Update 2 – Cease & Desist Notice to Thejesh,
Update 3 – Airtel Statement (see at end of post)
You wouldn’t believe it even if you are not a loyal Airtel user. We were not expecting such behavior from Airtel either, but the truth is truth. Airtel is now being accused of secretly injecting Javascript, and iframes into the web browser and is trying to alter the browsing experience.
We are not sure if Airtel is doing it deliberately or it is due to some technical glitch. It might also happen if the user who reported this anomaly was using some kind of proxy while using Airtel 3G and the scripts were inserted as some kind of web optimizations. But according to Thejesh GN, an the InfoActivist and programmer, Airtel is inserting JavaScripts into user browsing sessions. Check out these screenshots shared by him.
This injection of scripts without user consent is a highly unethical thing.
According to a GitHub thread, Airtel is also inserting the iframe into the browser forcibly.
As reported on the GitHub thread, the inserted iframe tries to insert a toolbar into the browsing session.
It is worth noting the parent URL of both the iframe and the javascript (223.224.131.144) belongs to Bharti Airtel, Bangalore. As per the GitHub thread that URL leads to the following web page of Flash Networks, but it gave us a 404 when we tried to open it.
We were certainly not expecting an ISP like Airtel to come to this for collecting user data from the browser. Getting user data is like hitting a gold mine these days. Internet companies, ad companies, and intelligence agencies are willing to pay any price for getting such personal info.
If it is proved that Airtel is doing this purposely then it can soon land up in the court of law.
PS: Airtel has already been condemned nationwide for violating net neutrality via its Airtel Zero platform, and it certainly won’t be in the best interest of the company to do such a malicious thing.
We have contacted Airtel for a word about this and we’ll update the post as soon as they give some clarification.
[Updated – 1]
It looks like even Vodafone has been accused of doing the same. One of our readers, Dayson Pais pointed us out on Facebook that Vodafone does this when the user is connected through USB dongle.
He also showed us a screenshot of the same. here it is.
The encircled script is essentially inserted when users browse through their USB dongle. Vodafone around the globe has been accused of doing so, You can check this, this, this and this
If Vodafone and Airtel are doing it, chances are that other telecom operators may be doing the same. If you come across something like this with your mobile operator, do let us know.
[Update – 29th June]
The person – Thejesh G N – who exposed the Airtel Javascript injection has now got a legal Cease & Desist letter. The interesting part is that it has not been sent by Airtel but by Flash Networks, Ltd., a company based out of Herzliya, Israel, via their attorneys in Mumbai. This is the company who have created that Javascript that has been inserted in Airtel user’s browsers.
The C&D order mentions that Thejesh has illegally uploaded that script to Github, as it is proprietary to them. The C&D letter was uploaded by Thejesh on Archive.org site and here is the full copy of the same.
The letter clearly states that Flash Networks has created the Javascript that get’s injected by mobile operators for their 3G network against payment of royalties and/or license fees.
Flash Networks also sent a DMCA takedown notice to Github where the Javascript was uploaded and as of writing this update, it has been pulled down. Here is the notice that Flash Networks sent.
As of writing this, we have not received any communication from Airtel. We will update this post as soon as we have more to share.
Update 3 – Statement from Airtel
Airtel representatives have got back to us with their statement. They are stating that it is a standard procedure which many telco’s globally adopt. Here is their statement in full.
“This is a standard solution deployed by telcos globally to help their customers keep track of their data usage in terms of mega bytes used. It is therefore meant to improve customer experience and empower them to manage their usage. One of our network vendor partners has piloted this solution through a third party to help customers understand their data consumption in terms of volume of data used. As a responsible corporate, we have the highest regard for customer privacy and we follow a policy of zero tolerance with regard to the confidentiality of customer data.
We are also surprised at the Cease & Desist notice served by Flash Networks to Thejesh GN, and categorically state that we have no relation, whatsoever, with the notice.”
0 comments:
Post a Comment