Hotel Wifi JavaScript Injection
So I’m checking my blog on the hotel wifi, like ya do, and I notice something a little off with the style. There’s a dark colored bar at the top of the page that shouldn’t be there. That’s funny. Maybe a recent Firefox update changed how they treat CSS?
I probably wouldn’t have thought much of it, except my blog had recently been hacked (someone had gained elevated access to my web hosting account and prepended every single PHP file with a base64 encoded rootkit), so I immediately decided to view the source. Sure enough I saw some unfamiliar CSS and JavaScript that had been injected after the <head>
tag (reformatted here for readability):
<style type="text/css"> #rxgheader { visibility:hidden; color:#111; background:#ffffff; text-align:center; border-bottom:1px solid #666; z-index:10000; position:fixed; width:100%; top:0; } #rxgleftbar { visibility:hidden; color:#111; background:#fff; border-right:1px solid #666; z-index:10000; position:fixed; height:100%; left:0; } #rxgrightbar { visibility:hidden; color:#111; background:#fff; border-left:1px solid #666; z-index:10000; position:fixed; height:100%; right:0; } #rxgfooter { visibility:hidden; color:#111; background:#ffffff; text-align:center; border-top:1px solid #666; z-index:10000; position:fixed; width:100%; bottom:0; } #rxgcontent { } </style> <script language="JavaScript" type="text/javascript"> function checkVisible() { var footer, header, leftbar, rightbar, content; if (document.all) { footer = document.all.rxgfooter; header = document.all.rxgheader; leftbar = document.all.rxgleftbar; rightbar = document.all.rxgrightbar; content = document.all.rxgcontent; } else if (document.getElementById) { footer = document.getElementById('rxgfooter'); header = document.getElementById('rxgheader'); leftbar = document.getElementById('rxgleftbar'); rightbar = document.getElementById('rxgrightbar'); content = document.getElementById('rxgcontent'); } if (footer) { if (footer.offsetWidth > 600) { footer.style.visibility = 'visible'; content.style.paddingBottom = (footer.offsetHeight + 4) + "px"; } } if (header) { if (header.offsetWidth > 600) { header.style.visibility = 'visible'; content.style.paddingTop = (header.offsetHeight + 4) + "px"; } } if (leftbar) { if (leftbar.offsetHeight > 400) { leftbar.style.visibility = 'visible'; content.style.paddingLeft = (leftbar.offsetWidth + 4) + "px"; } } if (rightbar) { if (rightbar.offsetHeight > 400) { rightbar.style.visibility = 'visible'; content.style.paddingRight = (rightbar.offsetWidth + 4) + "px"; } } } </script>
And I found some unfamiliar JavaScript after the <body>
tag (also reformatted):
<div id="rxgheader"> <script type='text/javascript'> var advnIsAdProviders = true; var advnIsPersistCookie = false; var mCustomerId = 44; var advnIsHideImmediately = false; var mDelayLoad = 1000; var advnAdRotationDelay = 30000; var jsUrl = 'http://adsmws.cloudapp.net/user/advnads20.js'; function addScript(jsUrl) { var AdvnScript = document.createElement('script'); AdvnScript.setAttribute('src', jsUrl); AdvnScript.setAttribute('type', 'text/javascript'); document.body.appendChild(AdvnScript); } setTimeout('addScript(jsUrl)', 50); </script> <div id = "rxgcontent"> <script language = "JavaScript" type = "text/javascript"> checkVisible(); </script>
For the non-web-developers reading, the most salient bits to note above are the prefix “rxg” in the CSS and the URL http://adsmws.cloudapp.net/user/advnads20.js pointing to a packed external JavaScript file that looked very suspicious. RXG appears to be a common extension used in viruses and malware, but I found very few results in Google having to do with advnads20.js or adsmws.cloudapp.net.
Immediately I ssh
ed into my webhost, and did an svn diff
on my WordPress core files. No changes. Hmm, maybe someone mucked with my custom theme files (which are not under version control)? Nope, no dice, everything appeared kosher. It occurred to me to wget
my blog while I was ssh
ed into my webhost’s server in Los Angeles—to see if the changes were also showing up there. Nope. Bingo! I loaded Stephanie’s blog and found the same symptoms in the source—but she’s hosted under my account. So just in case, I loaded Andre’s blog, hosted by TypePad. Same thing. Verdict: somewhere between the internet and my computer, someone is injecting JavaScript into EVERY SINGLE PAGE I LOAD.
I found a utility that unpacks packed JavaScript, and it only took a quick skim of advnads20.js (over 1900 lines reformatted) to estimate that its primary purpose is ad injection/takeover. The good news is, this explains why all the embedded YouTube videos in Google Reader were showing up as empty black squares.
But the question remains, did the hotel’s wifi access point get hacked, or is something more nefarious at work? Is it possible that the hotel’s internet service provider is doing this on purpose? Could it be that the Courtyard Marriott in Times Square is actually aware of and condoning this type of bad behavior?
In any case, who the heck do I report something like this to?
Update: I really wanted to give Marriott the benefit of the doubt, but it turns out I was wrong. There is something more nefarious at work. Thanks to Danny in the comments, I learned that the “rxg” I saw in the injected CSS and JavaScript is short for Revenue eXtraction Gateway, a wireless hotspot gateway product built by RG Nets, Inc., and available for sale from Wlan Mall.
In short, the Courtyard Marriott is using the RXG to inject JavaScript into the HTML of every webpage its hotel customers view for the purpose of injecting ads (and in the meantime, breaking YouTube). Marriott’s wireless internet service provider is a third-party company called Hotel Internet Services, so it is possible, though unlikely, that Marriott doesn’t know what’s going on. But it’s crazy to me that I’m paying $368 a night for a hotel room, and this is how I get treated.
Update: I guess not all press is good press. Ronen Isaac (coincidentally of Wlan Mall) appears to have taken down the Vimeo video (I had previously embedded above) that I thought did such an excellent job describing how the Revenue eXtraction Gateway worked.
Sorry, “RGnets RXG Injection Advertising Demo” was deleted at 10:17:28 Fri Apr 6, 2012. We have no more information about it on our mainframe or elsewhere.
Good thing RG Nets still has the video up on their own site! And thanks to The Verge, there’s now a copy of the video up on YouTube that I can embed for your viewing pleasure:
Demo of RGnets RXG Injection Advertising
Here’s a transcript of the video’s hypnotic, robotic voice-over:
The video demonstrates the HTML payload rewriting feature of the RG Nets Revenue eXtraction Gateway. The web browser that you are looking at is that of an end user that is connected to the internet through an RG Nets Revenue eXtraction Gateway. The end user is running stock IE7 without any special plugins or installations. All rewriting is done on the fly in the RXG. The RXG is configured to rewrite all transit webpages to include a banner advertisement for a BMW S1000RR motorcycle. The S1000RR banner can be positioned at the top, bottom, left, or right side of webpages. In addition, the banner may be rotated with other banners to simultaneously support multiple advertising campaigns. Of course the banners may also be linked to any website desired. As you can see the pervasive nature of the advertising banner on all webpages guarantees banner advertising impressions. The RG Nets RXG HTML payload rewriting feature is a tremendously powerful tool, with a broad spectrum of applications for internet marketing programs.
Update: A thought exercise: imagine the hotel delivered complementary issues of the New York Times to every room, except that in this case, all the ads had been cut out, some of the articles had been accidentally cut out (because they happened to be on the other side of an ad), and on every single page there’s a new ad that’s been stuck on top. How would you react? How do you think the New York Times would react?
Update: Here’s a round-up of people talking about Hotel Wifi JavaScript Injection around the web:
- Hacker News
- MetaFilter
- Digg
- TechCrunch (twice!)
- The New York Times’ Bits Blog (twice!)
- The Verge (twice!)
- The Huffington Post’s Gadling Blog (twice!)
- heise online
- Boing Boing
(though they didn’t link to my post!) - Forbes
- https://doesmysiteneedhttps.com/
Update, April 9, 2012: I just received the following message from a representative of Marriott:
As soon as we learned of the situation, we launched an investigation into the matter. Preliminary findings revealed that, unbeknownst to the hotel, the Internet service provider (ISP) was utilizing functionality that allowed advertising to be pushed to the end user. The ISP has assured the hotel that this functionality has now been disabled.
While this is a common marketing practice with many Internet service providers, Marriott does not condone this practice. At no time was data security ever at risk.”
Though I’d question the assertion that network-level JavaScript injection is a “common marketing practice”, I’m glad they say it has been disabled. I’m currently back in San Francisco, so I have no way to confirm, but I’ll likely be back in NYC staying at the same hotel in a month.
Update: Something has bothered me about Marriott’s official response above. I completely get that Marriott is a large sprawling corporation, and it’s likely that the right hand often does not know what the left hand is doing. I get that. I’ve worked in much smaller organizations where that has been the case. I also get that their response is a typical, old school public relations gloss over the problem—without any satisfying transparency as to how the problem came to be or any meaningful details about how it was ameliorated.
What bugs me about their response is that the device required to do this type of on-the-fly JavaScript injection of HTML is both rare and expensive. It requires specialized hardware (like the RG Nets’ RXG-A8) starting at a cost of $10,000. In other words, this hardware was procured precisely for the purpose of perpetrating this kind of attack. If Courtyard/Marriott/Hotel Internet Services didn’t want that feature, then they probably could have requisitioned cheaper, less specialized, and more robust networking hardware.
Which means that the optimal solution to this snafu wasn’t simply that “we’ve disabled the functionality”—it has to be “we’ve removed/replaced the offensive hardware”. Nothing less is sufficient. Otherwise, what’s to stop someone from accidentally (or otherwise) re-enabling it later?
Report it first to the Courtyard Marriott’s tech people. If you have difficulty reaching a knowledgable person there, start talking about it on their yelp page and/or twitter. Sometimes negative press is necessary to spur action.
Either this is an intentional revenue generator by the hotel/wifi provider, or more likely, their access point is hacked. It’s also possible that neither of these things is true and you’ve connected to a rogue network set up to mimic official hotel wifi.
Sucks.
Also, have you tried browsing in recent versions of Chrome? There are recent security measures intended to check for certain kinds of SSL-related man-in-the-middle attacks, e.g. http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
It’s kind of tangential and unlikely your certs are being altered, but worth a check.
And finally (really here) a video explanation of the code injection you’re seeing:
http://vimeo.com/11369399
And a reference citing that it isn’t unheard of for hotels to inflict this on you:
http://www.ehow.com/how-does_5144622_do-wifi-hotspots-work.html
I’ve seen it before myself, but it’s been a while.
Danny, your Google-foo is stronger than mine. Heh. My blog is my negative press soapbox. Thanks to Google and the rarity of this issue, my post already owns the search results for hotel wifi javascript injection.
Can you imagine the Yelp review: “Beds were comfortable, but I felt violated by the javascript injection in their wifi…”
Chrome (Chromium) is affected the same as Firefox.
Also, where in these United States is a Courtyard Marriott $368 a night? (So I can avoid going there)
Classic Justinsomnia post! Internet detective. And great find back to rXg, Danny. The Vimeo poster (where did he get that voiceover?!) links back to: http://www.wlanmall.com/ , heh.
I’ve seen something similar years ago at “free” airport wifi but with an iframe from the gateway that stays persistent with ads, while browsing.
Jackie: NYC, Times Square (and that’s pre-tax).
Jonathan: I have to say I’ve never seen anything like it. It really bothered me—what would prevent someone from installing a javascript keylogger and capturing my username and passwords as I type them?
Hrm, I wonder if you were sue happy if you could use them for false advertising. Is it still internet when you violate end-to-end?
Nick, I definitely feel strongly that this is very bad behavior, but for some reason I feel like bringing attention to the issue and shaming Marriott into changing their policy is far more rewarding than figuring out some pretense to sue them.
My experience with wifi on Southwest Airlines is that they do something very similar. I’ve see this in other hotels in the US as well.
So, this is what you have been up to since you left, schmoozing in fancy hotels!!
Was the wifi free? I wonder if they mention anything about ads in the wifi terms of use. My guess is that this is very common. A good ad blocker should help.
Hey Justin,
I’ve contacted the Marriott and they’re interested in looking into the matter. They’re going to reach out for details.
So you’re using a network that you don’t control and you aren’t using a VPN? NAUGHTY!
Conrad, the wifi was free, however the hotel room was not inexpensive. I saved a copy of the wifi terms of sure, read the whole thing, there’s nothing that comes even close to “we reserve the right to modify the HTML you request en route.”
Ken S, sounds cool. I also reached out (found an email address for to Marriott Corporate Business Ethics group), but like I said, this is the type of issue normal channels of customer support are not set up to handle.
Chris Wilkinson, I have to admit, I’m relatively VPN-ignorant. I tend to associate VPN use with big corporations. Are there inexpensive VPN solutions available for private citizens?
Please keep us informed about this. I think its abhorrent.
Justin: I would recommend privatvpn.se, they have hosts in multiple countries.
Although I am curious if VPN even would work. I feel they might block traffic to force you to view their ads.
i’ve used hotel wifi in New York City that has detected websites as i browsed them, and has done redirects to quasi-lookalike sites, or sites with a similar theme. Presumably, the ad revenue racked up on these sites that i was redirected to is split with the hotel using the service. Dirty … especially since i was paying for the wifi acces.
– Ryan
Sounds like a good use case for lynx.
A VPN would work fine, because they will be using encryption, which can’t be snooped on or altered.
I would never use a hotel network, especially a wifi network, without a VPN. Not only could anyone else be packet-sniffing/injecting, clearly the network provider itself was inspecting your http requests and adding in js that you didn’t want. Sure there is the Https Everywhere Addon for Firefox but that doesn’t help you on non-https sites. There are many VPN services out there. I recommend using one on any network that you do not know the intimate details of.
So… What you’re saying is that the ISP was distributing a unlicensed derivative work of every web page you visited?
Justin, I use the “Ultimate” service from http://www.acevpn.com and it’s exactly what you should be using. They provide multiple servers in different locations. The service is through OpenVPN so you can connect easily from Mac, Windows and Linux. Looks like you’re running Ubuntu??
Let me also recommend the Ghostery Addon for Firefox/Chrome which can block cookies as well as 3rd party tracking beacons as well as those 1 pixel trackers by site/url if needed. When you see how all of these sites track you on the Internet, it’s staggering. I block as many as I can without totally degrading my Internet experience.
Mozilla’s Collusion addon provides a graphic visualization of the trackers in real-time.
https://www.mozilla.org/en-US/collusion/
(Full disclosure, I work for Mozilla but not on Collusion.)
Pjones, yeah, I guess you could say so. ;) But not only that, if you look at the JavaScript they’re injecting, they appear to also be replacing or blocking hundreds of other ad providers. And worst of all, the code breaks YouTube!
Pete and Chris Wilkinson, thanks for the VPN info. I’ll take a closer look. Yes, I’m using Ubuntu Natty.
Gen Kanai, thanks for the comments. Ghostery has come up on several occasions lately. I’ll have to check out Collusion as well.
I’ve posted this to MetaFilter.
http://www.metafilter.com/114585/Courtyard-Marriott-in-Times-Square-is-spying-on-and-manipulating-your-Internet
Good post, thank you Justin, very useful.
I am a co-founder at a startup that does advertising on WiFi networks. We only run advertising before you connect (when you are in a captive portal), without the use of proxying.
Before anyone overreacts to this article, it would be beneficial to understand the hospitality space. The hotel you stayed at is most likely owned by a franchise group and operated by a GM. GMs are responsible for contracting their own networking services with Hotel WiFi Operators such as the one mentioned here. As such, a major hotel brand such as Marriott may use hundreds of WiFi operators. WiFi operators range in size, managing anywhere between one property to tens of thousands. The vast majority of these operators do not leverage javascript injection.
The ones that resort to proxied ad injection do so because hotel IT is a thin-margin business. WiFi is considered a cost center but is tolerated because it is the number one amenity requested by guests. Operators will sometimes offer a discounted service fee to the hotel GM in exchange for mid-stream ads, although, in this case, it is just as likely that the hotel GM is unaware of this. It is almost absolutely certain that Marriott is unaware of this. Even if they were made aware, the power balance between the brand and the franchisee is not clearly defined with regards to WiFi.
As much as I dislike ad injection, it is important to note that public WiFi is never safe unless you are using a VPN. It is offered as an amenity, one that GMs would be more than happy to get rid of if they could. Unlike with your broadband ISP, you have logged into a privately operated network. You are probably not paying for it. You are subject to their rules. Furthermore, when you signed onto the WiFi network, you most likely had to check a checkbox indicating your agreement to the terms of their network (which no one ever reads). As such, caveat emptor, etc.
I’ve added the following filter..
https://hg.fanboy.co.nz/rev/35eaae9134b6
Lemme know if that helps with those adverts :)
http://www.fanboy.co.nz
Turn on SSL =)
I’ll bet if you find an amazon link somewhere you will find it contains a fresh affiliate id attached to this RG Nets company
And this is why you always tunnel your entire computer’s traffic through a VPN or SSH tunnel. Sidestep is great on the MAC, OpenVPN is great on Windows.
Henry L, I appreciate your response, and I understand where you’re coming from, though I think you’re being defensive. Just so you know where I’m coming from, I’m not opposed to online advertising. I spent 4 years working for Federated Media, which placed generally high-CPM advertising on blogs.
However I think JavaScript injection is plain wrong. If not criminal.
So it doesn’t matter if hotel IT has thin margins (or zero-margins) or a major hotel brand uses hundreds of WiFi operators. Being unaware of what is going on in your business is no excuse. Marriott has substantial documentation online about their corporate responsibility and business values. I have no doubt that this is an isolated mistake or an oversight or a very bad decision, but I have no misgivings for calling them out on it.
I would add that calling public wifi “never safe” is also no excuse. Sure, many corporate business guests will use VPN for access to sensitive systems/data, but very few average people know about VPNs, and frankly they shouldn’t have to for non-sensitive, non-HTTPS web browsing at what is effectively a tourist hotel in Times Square. You should be able to read the news or check your blogs or watch a YouTube video without your hotel running craptastic regular expressions over your HTML. End of story.
Go fanboy go! ! Flight fire witth fire! If you have not used the ad blocker filter list from fanboy yet, it’s time to try it.
Justin, I didn’t mean to come across as defensive. I have no reason to be since my company does not engage in this type of advertising. I also don’t condone this. I stand by my comment because I want to bring another perspective to this article.
So I thought I’d interject something here. Being a hotel professional who also handles IT for a mid-range hotel in a major market I can tell you that there are a lot of variables that come into play when you talk about hotel internet. First and foremost there is the question whether the hotel is privately or corporately owned. If its privately owned the hotel can opt into products that Marriott does not necessarily have much control over. The situation can then devolve to a cost portion and if the HSIA ISP is inserting its own JavaScript it could be that they intend to insert ads and lower cost to the hotel even more. 9 times out of 10 the hotel staff will not understand what you mean when you talk about this kind of thing so you need to make sure you talk to a General Manager or IT individual within the company. If you complain to Corporate make sure you do it to say the President’s office rather than Guest Assistance because they’ll have no clue either. Just some suggestions
Denverite, yeah, can you imagine me going to the front desk and complaining about javascript injection? Or even calling customer support? I tried to find a corporate contact online, but they don’t make it easy. Apparently a friend of mine (Ken S) got in touch with someone via Twitter, so maybe they’ll reach out to me tomorrow.
“WiFi is considered a cost center”
So are washing towels and changing bed sheets, yet in a $300+ room one would expect these services to be included.
And these services alone cost several times what WiFi access costs. Talk about “cost centers”.
Yup, I’ve seen a version of this sort of thing when using wi-fi at the Imperial Palace in Las Vegas. Noticed similar items as did you, though in my case it was more than an additional odd line…it was an entire in-window toolbar, which of course seemed to cripple both Chrome and Safari.
A little digging revealed it was the “r66t bar” supplied by http://www.r66t.com/. Same sort of thing; ad injection and tracking. To add further insult to injury, I was actually paying $20/day for this luxurious internet service; it wasn’t even free with the room.
In my simpleton’s view of life…if a company, be it the hotel or the wifi provider, can’t do business in a clear and up-front manner…there’s usually a reason for it.
This is a really interesting Blog post – Nice job.
I’m a gold Marriott member, and I recently stayed in a (Marriott) SpringHill Suites in CO Springs, where they had tiered IBAHN internet service – around 350K was free, and it was $10/day for higher. The free speed was basically unusable except for what it was advertised at “checking email, casual surfing” – even picking airplane seats for check-in was unbelievably slow. I didn’t pay for the upgrade, but will in the future – if I can’t find a hotel with free (fast) internet.
Yes, changing HTML is even worse, obviously hotels and their providers are getting wise to using HS internet to get more money out of us. I do fully expect that demand is rapidly outstripping the hardware they have for room connectivity – how many of us have more than 1-2-3 internet devices now? And Netflix is a human right?
That and your blog post is my excuse to finally get my company to pay for internet tethering.
I am going to squalk at the dumb tiered service to Marriott corporate, and I’ll keep my eyes open for RXG.
the domain cloudapp.net is azure. you can contact M$ and tell them that their hosting is used for this type of hacks. It’s in their privacy policy so they need to terminate and take legal action against the owner.
They will probably also find out that the account was payed with a stolen credit card and report that … further up the chain.
Thanks for reporting this.
If its free, then one usually has to go with whatever hotel provides (including ads); unless consumers can demand better ad-free service or find another hotel chain who has not yet started exploiting generating revenue through internet ads (or saving on cost …whatever). And as usual hotel guests would be accepting the lengthy internet agreements.
Dunno how far one is going by javascript injection. Am not saying its right or wrong about javascript content injection. Just for discussion sake, if user computer allows it then maybe nothing wrong in doing it (like a webpage showing ads, someone could say why is someone injecting ads on my laptop screen… Content injection can happen through various means, java script is one way either user could disable JS all together, it if works or have to live with it since without that internet service may not work). On contrary one could argue even if user computer is less secure and someone can hack into it, hacking is not legal.
So this might fall into gray area.
Speaking about ethics, if its not illegal then there is nothing ethical or unethical. Everything is treated as legal or illegal, and then there is customers business which can be leveraged to get what one wants (I will take my business to someone else if you are not changing your xyz service).
Either we consumers show supplier (hotels) that customer is the king and get consumers demands met or we just have to live with it.
And finally a very bad service, if the customer pays for internet service and is still getting same ad enabled internet service like customers with free internet.
I fall in the category of free internet user, if its not free I am not paying it (dont want to give you internet revenue, either have it built in room cost or make it complimentary). And if its not free, I just take a break from internet (anyways hotels are meant to be for resting, but alas we take our work everywhere and we love the internet so much that not having is like …. :)
And its just a discussion and random thoughts
Just wanted to give you props for pointing this stuff out — casual users like me, lacking the knowledge to investigate this sort of trickery (but savvy enough to want it gone), rely on people like you as a kind of consumer advocate. So thank you!
If you can SSH through the WiFi, why not set up a SOCKS5 proxy through your server, and browse/email through the proxy? I would :D
Michael, is it just me, or does R66T connote “root” as in “being rooted” more than Route 66?
Perry, thanks. The funny thing is that in my case, the wifi was complimentary, there was nothing mentioned in the end user agreement about ad injection, and there was no option to upgrade or pay for faster/better/ad-free service.
Adrian, if you or anyone has suggestions about how to contact Microsoft about this let me know.
Mike, I pretty much disagree with your entire comment. Just because an addon service is “free” (nothing is free, the room was not free), does not mean it has to be adulterated. Just because a computer might be insecure to man-in-the-middle attacks does not make hacking legal. (If I leave my door unlocked, does that make it legal for you to steal my stuff?) There is a whole world of legal actions that are unethical: case in point all the political ethics violations we read about in the news. Ethics are about rightness and wrongness. Legality is about whether something is restricted by law.
Nick, you’re welcome. I’m surprised how much this has attracted popular attention. I should have known: internet users don’t like their internet being adulterated.
inactivist, I was sshing into my webhost’s shared server. Not sure I could set up a SOCKS5 proxy in that case. I’m a fairly technical user, but this episode has convinced me that there’s a market need for a VPN/proxy solution for average users.
Great find; I hope this blows up. Found you via Metafilter. WiFi is no more expensive to run for a hotel than it is for any business, which is to say, practically free. I have done it. Even with terribly expensive APs and controllers, it’s a one time expense in the low thousands. This hijacking and javascript insertion nonsense is inexcusable, particularly from a huge chain.
Answer: leech nearby WiFi or, better, tether your phone. Chances are you’d have no fun at all trying to establish VPN connectivity behind various different hotel firewalls and proxies….
Sounds like a good reason to run a secure (ssl) proxy server at your home and use that from the hotel. Presumably that would be safe.
Out of curiosity, did you try this with the NoScript Firefox plugin? I suppose it wouldn’t stop the injection, but it would stop scripts from doing things that break YouTube, etc. I like NoScript because it is really easy to permit or forbid scripts on a host-by-host basis, etc.
zomg, no, because their injection never resulted in an ad being display. I suppose if I had to watch a YouTube video for work purposes (this was a business trip) I would have been more pissed, and tried some active countermeasures (edit /etc/hosts, etc.)
The more interesting part of this is when residential neighbors jump on ‘unsecure’ wifi and the same business model is at work. http://www.dd-wrt.com/site/index The hotel setup is pretty common in hotels and I don’t consider it as devilish as you suggest. Hotels have to go shopping for some kind of captive gateway. They can’t just open up their wifi nor can they hand out pass words or whitelist MAC addresses. The captive gateway is their solution and the hardware sellers sweeten the deal by offering hotels different ways to recoup the cost of their ISP through ad replacement or first page ads. We already know that the hotel is a business. They are trying to make money off of you.
John G, I have to restrain myself from writing this in all caps: they are already making money off of me. I paid $368/night for several nights. That’s an excellent “captive” way for them to recoup their costs. What do you think?
John G – I agree that hotels are businesses and why not leverage some income via some sort of advertising channel, especially when offering “free” wifi? But they need to be upfront about it. Make it obvious. There are several ways they could do that. But they should never replace advertising on sites that would otherwise benefit from that view/impression and re-route to their own benefit. That’s 100% wrong.
Who’s the ad provider anyway? That’s what I want to know.
Justin, amazing find!
I find myself at the Imperial Palace in Las Vegas and had to check it out.
However, instead of the r66t stuff mentioned previously, I find the exact same stuff that’s in your blog. I would bet that RG Nets gateway was inserting the r66t stuff too, and the hotel just changed ad providers.
The Imperial Palace isn’t associated with Marriott at all are they?
I also checked youtube, and that appears to work here.
A little bit of googling and look what I have found… looks like these RG Nets folks have been at this for years:
http://www.dslreports.com/forum/r22305075-complaint-Stop-surving-fake-scanners
Look at the screenshot of the ad. It says … “Exert control over, clearly communicate with and have complete cognizance over your end-user population.” WTF?
Hey Justin are you still at the hotel? Can you check your ARP table. I want to know what the MAC address of the default gateway is. Check this out:
http://standards.ieee.org/develop/regauth/oui/public.html
If you search for RG Nets there you will find that they have only a single block of MAC addresses.
I want to see if the MAC address of the default gateway at the hotel is in that range. If this RXG thing is an appliance and if the MAC you have is in that range we know there can’t be all that many of them out there because they only have a single OUI assigned to them.
Check this out:
http://www2.ntia.doc.gov/files/grantees/floridaruralbroadbandalliance_infrastructure_application_attachments_part4.pdf
$10k a pop from what I read. At that price, can’t be that many of these things out there.
Anon, impressive sleuthing. I’m no longer at the hotel, but I’ll probably be back in a month or so, so I’ll be able to check back in.
Justin, if they are doing this and you find it offensive, why go back to them and give them more business? If people didn’t stay there when this happened, the practice would stop.
This is very disturbing. Injecting ads is bad enough, but hijacking the content could be used for a lot worse activity.
Mike, though I’m a strong proponent of voting with my feet, as you recommend, there are some situations that are simply wrong, and can only be addressed by bringing attention to the issue, as I have done.
I don’t think the Marriott is aware of this – I’m not sure they really need the few dollars here and there that they will gain from people clicking on their links. Have you reported the problem to the staff at Marriott? This is a major security issue in my opinion – I don’t think they’re only using it to inject ads, but they are also gathering browsing information as well.
Be thankful the internet is freely accessible where you are as it is.
http://upload.wikimedia.org/wikipedia/en/1/19/Du_block_page_v2.png
-From Dubai
Nice catch Justin. Wonder if the NYTimes link love will lead to an increase in container ship travel?
This violates the Berne Convention Author’s Moral right to preserve the integrity of their work. And Marriott Hotels have deep pockets. Some content creator should get a lawyer and sue them and RG nets bigtime.
Subversion? Really?!? git with the program, bro
Check out what Marriott in Philly is tracking, your tv viewing thru this company TIVUS. check out their website it states that the hotel will profit from defined advertising from info received from tracking your viewing habits. Kinda creepy to me.
Having discovered this, could one not simply set one’s host file to redirect adsmws.cloudapp.net to 127.0.0.1 thereby disabling it permanently? I’m talking about a Windows device but I assume there are equivalent *nix/Mac options.
ok – thinking a bit more about that obviously they could do more nasty rewriting if they were very clever (probably aren’t) like rewriting every URL to include a proxy so they could randomly replace images on the fly with ads of their choosing based on the image’s dimensions (neat huh); but they aren’t doing that – so presuming they are writing in sources that come from 1 domain, or a small number, it might be worth checking each time you power up in a new hotel and blocking these things out…
It’s ugly, but it will work. And you can’t really get upset at the hotel for trying to make a buck or provide cheap/free internet to its customers.
Count yourself lucky. In many places in Europe you pay that much for a hotel room and then they actually have the nerve to charge you *extra* for WiFi access, and then give you a connection barely better than using 3G!
Will, who knows. In terms of traffic driven to my post, Hacker News sends several orders of magnitude more visitors than the NY Times—though the NY Times readers might be more likely to ride container ships.
RichardH, yes, you could update your hosts file to prevent the external JavaScript from loading, but keep in mind—they’ve already modified the HTML you’ve requested at this point, which you cannot prevent with a hosts file entry.
To Chris, Jason, and anyone else with the defeatist attitude of: “consider yourself lucky, the internet is much worse in X”. NO. I will not consider myself lucky. I will fight for my right to have the content I request to be unadulterated by internet access providers. Instead, count yourself lucky that I’m willing to take a stand and publicize a small injustice before it becomes a large one. Perhaps it will one day rub off on your countries.
I count myself lucky….
Funny reaction maybe due to it only involving injection of ads into content. Imagine though replacing content Mariott doesn’t like with something they do – say content from the BedBugRegistry. Or what about news content the corporation doesn’t want you to see – rather than censor it wholesale they inject their own FoxNews spin.
This happens more than is reported. The example I use is local BestBuy’s. Some of them proxy out competitors. One actually replaced links from a competitors product page to BestBuy’s online store (I brought this to the managers attention and haven’t caught them doing this since).
Just another layer on top of what ISPs, etc. are doing to adulterate content.
Thanks – I just added their web site to my host file blocked list.
The only correct description of such hidden content changing practices is ‘vandalism’ – it basically always spoils the service and sometimes even breaks it.
Even worse, both providers/producers as well as consumers are not aware of it being in effect and consider any issues resulting out of it as a flaw on the other part or the general underlying constructs rather on the real culprit.
A similar yet widespread technology gone wrong is named ByteMobile (similar technologies exist under other names as well) which “optimizes” speed by rewriting web pages and messing up images by recompressing them. Many mobile network providers use it by default while spreading basically zero information about it, thus basically cheating on their clients by selling them a degraded service as “full internet access”.
Opera Turbo is similar, however it is displayed to the users whether it is applied or not, thus allowing them to opt in or out as desired.
Just got the following via DM from @marriottintl on Twitter:
(Part 1) Mr. Snider, thx for your DM. We exchanged emails w/ Mr. Watt last week & today. As far as the hotel is concerned, as soon as we…
(Part 2) learned of the situation, we launched an investigation into the matter. Prelim findings revealed that, unbeknownst to the hotel…
(Part 3) the ISP company was utilizing functionality that allowed advertising to be pushed to the end user. The ISP has assured the hotel…
(Part 4) this functionality has now been disabled. While this is a common marketing practice with many Internet service providers, Marriott
(Part 5) does not condone this practice. At no time was data security ever at risk. Mr. Snider, we appreciate you taking the time time to
(Part 6) reach out to us. It is feedback from our valuable customers that allow us to improve our service. Have a good week & we hope to…
(Part 7) see you soon!
Just because a hotel is offering ‘free’ internet access doesn’t mean they can hack into content you are viewing. If this is happening a declaration should be made, and give you an option for free hacked pages, or paid for internet with no modifications. This is a serious breach of trust.
I’m curious as to why the extra lines were not in the pages when you fetched them with wget. As far as the router is concerned, isn’t wget requesting the web page just the same as any other browser?
Eric, when I described using
wget
to download my homepage, I wasssh
ed into my webhost in Los Angeles, so I was effectively downloading it from an external host, not from within the hotel’s wifi network, if that makes any sense. Which is why it didn’t contain the injected JavaScript. However when I usedwget
on the command line locally at the hotel, the source of my homepage did contain the injected JavaScript, just as you described—no different than what the web browser “saw”. Sorry if that wasn’t clear in my post.Thank you…I will be on the lookout now.
Hey Justin, the rgnets device is not specialized to doing the JS injection. It does a lot of stuff more stuff, most of this is outlined in the stuff I dug up. Look at that Florida RFP that shows the $10k price and even on their website.
I am betting that the rgnets machine is the router for the network and is delivering the portal, doing the bandwidth mgmt, etc. If that machine is the main router for the guest network, ripping it out is obviously not an option without putting something else in. Look at their network diagrams and stuff. That’s what I was asking about the MAC address. I want to get some more evidence about how this stuff works.
Anyway, my point is that I don’t think that the Marriott or the Marriott’s ISP bought this device for the purpose of doing this kind of a thing. I think that the Marriott or the Marriott’s ISP bought this device because it is designed to do everything they might ever possibly need for the guest WiFi and that it is probably the core router.
So do get that MAC address and we can try some snooping to see how DHCP works on that network, like who the server, etc… once we get that I think we can better figure out what is going on.
Hey anon, have you seen the RG Nets website, you know, the one with the stock photo of the hand dropping coins, and the tagline: “Got network? Want money? Get rXg.” And the links about “deploy[ing] a profitable revenue generating network!”
You’re being surprisingly conservative, but I feel pretty confident in my assertion that the RXG device was purchased and put in place specifically for this type of malicious ad injection activity. If it also happens to act as a router and bandwidth manager, great—but there are other devices that do that without the evil. You don’t buy an RG Nets RXG thinking, “Hey this will be a great core router for my client’s hotel.” You buy it with dollars signs in your eyes.
Anyway, I’m no longer at the hotel, so I can’t poke around. I’ll definitely be curious to update this post depending on what I see the next time I travel to NYC.
Sorry for the miscommunication. I’m not trying to be conservative in the assessment of what they are doing at all. Certainly they [ Marriot, Hotel Internet ISP, whatever ] have bought this equipment because of the dollar signs. What I believe is happening though, is that the advertising is only a secondary or tertiary thing that they are doing. Look at all the things that they are talking about on the rgnets website. They are talking about profiling people, selling bandwidth and quota upgrades and all sorts of stuff like that.
Anyway advertising seems like it’s an added extra in their literature. You seem to think that this is the main reason why this machine exists or is deployed. It’d be interesting to see which way this really is. Figuring out the network topology I think will shed some light on it. Look forward to working with on mapping out the network at that hotel next time you get there.
@Eric. Perhaps the injection also detect the User-Agent value (it is very possible, because each browser handle JS differently)
So this give me an idea. What if we modify the User-Agent? But the down side is some website also use that to determine what javascript to run… :(
SSL Proxy, here I come… ;)
The copyright statement on the HTML Blog specifically prohibits alteration of the user experience. So if anything like that is going on, it’s in violation of our copyright. Class action, anyone?
Anon, no worries, I just wanted to make clear that this type of JavaScript injection wasn’t just a tertiary feature of the device.
dk, as I replied to Eric, he misunderstood my description of
wget
in my post. When I usedwget
on my local machine at the hotel, the JavaScript was injected, and I did save copies of my index.html file and several others that I downloaded usingwget
as evidence. However, the use ofwget
I was describing in my post was after I’dssh
ed into my webhost’s server in Los Angeles, and it was there thatwget
ing my homepage did not show the JavaScript injection. I’ve just updated the text of my post to make that more clear.However, to your point, I didn’t think to play with the Firefox User Agent Switcher add-on to see if the injection differed depending on what browser I was advertising myself as.
Robert, I’ve informed the ACLU and EFF of my discoveries, but I’ve yet to hear back.
I am at a marriott now. I have a comcast ext. IP in marlton,NJ. I am in langhorne,PA. The ISP is active networks and the gateway is a nomadix ag 3000, that is a legacy product. I’ll walk next door to the courtyard tomorrow and scan them too
What ISP was this injection on? Also knowing Marriott, the 800lb gorilla that forces it’s policies on every vendor, this is something they asked for and may have been testing to deploy.
Also, every solution and piece of equipment on their network has to go through their lab test and be certified for use.
Use Windows Update to check whether you need the service pack and to install it. Click the Start button, click All Programs, click Windows Update, and then click Check for updates.
It is happening here, too, at Carson Valley Inn in Minden, NV.
Screws up my browser sessions while it hangs trying to transfer data from http://adsmws.cloudapp.net.
I may just have to turn javascript off on my browser.
GaiusGracchus
Actually, the better solution is to block the site in your browser. Chrome will allow you to block certain sites from using JavaScript.
Select the toolbar (wrench in the top right-most corner of browser window), then choose ‘Settings’.
Then choose ‘Show Advanced Settings…’, then under Privacy, pick ‘Content Settings…’.
Then under JavaScript pick ‘Manage exceptions…’
Add a new hostname pattern:
http://adsmws.cloudapp.net
Select ‘Block’ in the dropdown. Click ‘OK’ and you are DONE!
No more interference from this stupid HOTEL WIFI Javascipt virus-like INJECTION!!!!
Hello Justin,
good job bro….
You gave me one more reason to tunnel over an encrypted IPv6 VPN all my traffic when connected to WI-FI.
Since the vast majority of WI-FI admin tools (Nomadix etc…) are easily hackable/crackable the only way is to create a tunnel (if UDP is not voluntarily blocked by ISPs or professionals involved) to your trusted VPN provider….
I’ve been surfing in total freedom even in Cuba (where DNS are strictly controlled and many resources are unavailable through them).
Thanks a lot for your inputs
Stefy
I’ve been staying at the Marriott Residence Inn in Bloomington MN for the last week. The ‘Free High Speed’ internet is slow as smoke off of dog shit. Firefox alerted me to the adsmws js crapola… Marriott obviously is complicit! Some creative surfing pointed me to your blog. The hotel IT guy blamed the slow performance on my machine being loaded up with malware (duh, not the case). I would love to see the look on his face when opened my email with a link to your blog. Busted!! Bottom line is that Marriott loses customer loyalty when their ‘free internet’ is useless. My Advise to Marriott customers is to use the opt-out,
Thanks for this blog. I am on support staff for a cloud-based software; we spent an hour w/ a user because this injection was interfering w/ the javascript on the login screen to our software. Everyone blamed our software until we noticed the injection scripts on other pages from his connection. Turns out he is staying at a hotel and that’s the real problem.
I am also currently in a Marriot-owned hotel and was having trouble with my internet and noticed something appearing when I tried to go back on a page. This was the first thing that came up on Google when I just searched the name of the page…and then I find Marriot has been doing this for a while.
if it’s disclosed in the ToS of the free wifi, I’m ok with it (ie: i can choose to pay for a level of service without it, or use my own evdo connection, or mifi and pay carrier data rates with Verizon). some folks want free wifi but the truth is there are still costs on the system so as long as it (the ad. injection) not part of a paid system or is disclosed on a free one (ie: it has to be supported somehow), that’s the key.
i’m not sure i buy the copyright infringement, but i don’t like it breaking cloud code or youtube – if it increases tech support load for anyone it needs to be refined or pulled, period.
There have been a lot of arguments here about how the service is free. Therefore, you should not complain.
But this is absurd.
Wi-Fi is an in-room amenity, like clean linens, electricity, air conditioning television.
If the cable provider chose to rewrite the ads being shown on NBC, everyone would flip their lid.
If the electricity provider played an ad every time you turned on a light switch, we would check out immediately.
The expectation is that in-room amenities do exactly what they’re advertised to do, and they should not use subterfuge to change the behavior of things outside of their realm.
I think the example of the newspaper that’s included with your room rate is a good example. If the hotel scanned in the copy of the New York times, and change the layout to add new advertising, or replace existing advertising, or block editorials, this would be considered extremely unethical and a violation of customer trust.
And this doesn’t even touch on the fact that this same type of JavaScript injection can be used for much more nefarious purposes, such as tracking your individual clicks and page scrolls and data entered into forms.