Update 1 – Vodafone Script Injection,
Update 2 – Cease & Desist Notice to Thejesh,
Update 3 – Airtel Statement (see at end of post)
You wouldn’t believe it even if you are not a loyal Airtel user. We were not expecting such behaviour from Airtel either, but the truth is truth. Airtel is now being accused of secretly injecting Javascripts, and iframes into the web browser and is trying to alter the browsing experience.
We are not sure if Airtel is doing it deliberately or it is due to some technical glitch. It might also happen if the user who reported this anomaly was using some kind of proxy while using Airtel 3G and the scripts were inserted as some kind of web optimizations. But according to Thejesh GN, an InfoActivist and programmer, Airtel is inserting javascripts into user browsing sessions. Check out these screenshots shared by him.
This injection of scripts without user consent is a highly unethical thing.
According to a GitHub thread, Airtel is also inserting iframe into the browser forcibly.
Here is the tweet by Thej:
Airtell 3G is injecting javascript into your browsing session https://t.co/QHPpSKinve
— Thejesh GN (@thej) June 3, 2015
As reported on the GitHub thread, the inserted iframe tries to insert a toolbar into the browsing session.
It is worth noting the parent URL of both the iframe and the javascript (223.224.131.144) belongs to Bharti Airtel, Bangalore. As per the GitHub thread that URL leads to the following webpage of Flash Networks, but it gave us a 404 when we tried to open it.
We were certainly not expecting an ISP like Airtel to come to this for collecting user data from the browser. Getting user data is like hitting a gold mine these days. Internet companies, ad companies, and intelligence agencies are willing to pay any price for getting such personal info.
If it is proved that Airtel is doing this purposely then it can soon land up in the court of law.
PS: Airtel has already been condemned nation-wide for violating net neutrality via its Airtel Zero platform, and it certainly won’t be in the best interest of the company to do such a malicious thing.
We have contacted Airtel for a word about this and we’ll update the post as soon as they give some clarification.
[Updated – 1]
It looks like even Vodafone has been accused of doing the same. One of our readers, Dayson Pais pointed us out on Facebook that Vodafone does this when user is connected through USB dongle. He also showed us a screenshot of the same. here it is.
The encircled script is essentially inserted when users browse through their USB dongle. Vodafone around the globe has been accused of doing so, You can check this, this, this and this
If Vodafone and Airtel are doing it, chances are that other telecom operators may be doing the same. If you come across something like this with your mobile operator, do let us know.
[Update – 2 9th June]
The person – Thejesh G N – who exposed the Airtel Javascript injection has now got a legal Cease & Desist letter. The interesting part is that it has not been sent by Airtel, but by Flash Networks, Ltd., a company based out of Herzliya, Israel, via their attorneys in Mumbai. This is the company who have created that Javascript that has been inserted in Airtel user’s browsers.
The C&D order mentions that Thejesh has illegally uploaded that script to Github, as it is propreitary to them. The C&D letter was uploaded by Thejesh on Archive.org site and here is the full copy of the same.
The letter clearly states that Flash Networks has created the Javascript thats get’s injected by mobile operators for their 3G network against payment of royalties and/or license fees.
Flash Networks also sent a DMCA takedown notice to Github where the Javascript was uploaded and as of writing this update, it has been pulled down. Here is the notice that Flash Networks sent.
As of writing this, we have not recieved any communication from Airtel. We will update this post as soon as we have more to share.
Update 3 – Statement from Airtel
Airtel representatives have got back to us with their statement. They are stating that it is a standard procedure which many telco’s globaly adopt. Here is their statement in full.
“This is a standard solution deployed by telcos globally to help their customers keep track of their data usage in terms of mega bytes used. It is therefore meant to improve customer experience and empower them to manage their usage. One of our network vendor partners has piloted this solution through a third party to help customers understand their data consumption in terms of volume of data used. As a responsible corporate, we have the highest regard for customer privacy and we follow a policy of zero tolerance with regard to the confidentiality of customer data.
We are also surprised at the Cease & Desist notice served by Flash Networks to Thejesh GN, and categorically state that we have no relation, whatsoever, with the notice.”
Screenshot of a ‘view source’ screen is a violation of what, exactly?? Flash is trying to intimidate Thejesh. This will never hold up. Anyone and everyone can do a ‘view source’ and see the line of code. In any case, the JS will provide data onto a dashboard that Flash controls – you cant do anything with a line of code.
I support Thejesh. I suggest he go legal against Airtel. Is Airtel selling the information gathered from users to other countries? Indian Government should take this a serious note and take criminal action against all such ISP providers and make sure no other ISP providers does this in the future.
What is the end result of this activity to customer. what kind of problem customer will face.
brilliant for you to notice this. Would like to know the effects of these js injections into the users sessions?
Never thought that it will become such a big news ! I too covered this at end may with 2 possible solutions.
You can block the said javascript file using “Noscript” on Firefox and “scriptblock” on google chrome
For website owners there are 2 options:
1. Remove the javascript file dynamically as I have shown in
https://www.jahajee.com/Is-AIRTEL-3G-slowing-your-browsing-experience/37380/1.html
2. This is the permanent solution , make your website secure, switch to https and prevent eavesdropping by telecom providers !
Hope these companies end this stupidity. There are far better and competent ways to gather users data rather then injecting files and i-frames on others website grrrrr……
This is good option Rishi Kashyap. Is it possible to block more IP address like this? Because, Big ISPs can always change IP address easily as their have enough resource for that.
Otherwise, Making our website HTTPS it the only best option.
How can they do it for a ssl secured website? only our browser can decode the response?
Looks like you have done some serious research XD
so the issue is with 3G network only???
its really serious issue
Vodafone has been doing this for years. Last I used vodafone 3g was like 2 years back, and they insert JS in all pages when using through USB tethering or Wifi hotspot. Not sure about browsing on mobile itself, though.
Same with Aircel.
I am from Hyderabad and these java scripts are used to show ads related to their company and if any one clicks or may not money is deducted from main balance and a shitty msg will appear ” thanks you for subscribing to our videos” how is gonna pay 100rs for those shit videos when we have YouTube to watch it for free, even after the deduction that service wont work..
Vodafone also uses redirects to forcefully divert the user to certain offers and the offer plans. For example if I click on gmail.com or type it in, often Vodafone redirects to offer page for some netplan instead of showing me gmail.com So basically I lose my data while browsing and get irritated with the ads too.
add 223.224.131.144 to your PC hostfile to block it.
223.224.131.144 localhost
Hi,
We can block these scripts by sending problematic codes to Anti virus companies. When whole India protest can’t stop Zero program, we can’t stop this malicious activity also.
Government ISP BSNL is silenced by private ISPs. So nowhere else to go. All Indians completely screwed by largest ISP.
Even vodafone does so, if you are using the vodafone dongle.
Check for “http://1.2.3.4/bmi-int-js/bmi.js” in the source.
if its true then the antivirus software (i use bit defender)
will automatically block it.
nothing to worry
I’m using Airtel 4G. I don’t see any script injections by Airtel in my case.
Yes it is not ethical but technically there wont be any harm as child element iframe cannot access parent windows data due to security guidelines of Web Browsers.