capsinthehouse’s avatarcapsinthehouse’s Twitter Archive—№ 34

          1. …in reply to @othermaciej
            othermaciej firefox FirefoxNightly webkit reinhart1010 johnwilander Here is the original post on Reddit. Reddit is blocked by the Indonesian government (for explicit content reasons, same with Vimeo) but some users are still able to access the service via VPN and DNS-over-HTTPS services reddit.com/r/indonesia/comments/evkqns/beaware_tracking_script_isp_telkom/
        1. …in reply to @capsinthehouse
          othermaciej firefox FirefoxNightly webkit reinhart1010 johnwilander Some Telkom Indonesia (an ISP and state-owned enterprise) customers noticed the addition of a tracking script embedded at the end of non-HTTPS websites and web pages that looks like this:
          oh my god twitter doesn’t include alt text from images in their API
      1. …in reply to @capsinthehouse
        othermaciej firefox FirefoxNightly webkit reinhart1010 johnwilander The tracking script never appeared when the (non-HTTPS) site was visited through another ISP, using VPN/DoH, or even when the connection was upgraded to HTTPS. One customer also confirmed this script appeared regardless of devices and browsers.
    1. …in reply to @capsinthehouse
      othermaciej firefox FirefoxNightly webkit reinhart1010 johnwilander Based on the code above the script is intended to gather several information such as viewport sizes and current domain, which is likely used for analytics. However, customers feared that this might be used by the ISP for tracking purposes.
  1. …in reply to @capsinthehouse
    othermaciej firefox FirefoxNightly webkit reinhart1010 johnwilander Despite that the Reddit author posted this a few days ago, this script injection has occured for years. For example, this StackOverflow post that suggest the same script is used to inject advertisements: stackoverflow.com/questions/30076093/how-to-clean-up-ads-injection-on-wordpress-which-injected-through-isp