Security

State-Owned Telco BSNL Uses Code Injection In Browsers to Display Malicious Ads, India’s Digital Liberties Organization Takes Notice

Privacy and security on the internet should be a fundamental right. Many countries are putting in place strict regulations to protect users. Like Governments, even Internet Service Providers have a big role in protecting their users. According to reports, India’s state-owned telecommunications company BSNL is doing just the opposite.

BSNL Doling Out Advertisements Through Browser Injections

Internet Freedom Foundation is an Indian digital liberties organization that works to defend online freedom and privacy for users in India. On 17th May they put out a report detailing malpractices by BSNL, specifically referring to the use of browser injections.

Basically, BSNL is injecting code in browsers by changing the DOM structure of HTML and inserting additional HTML iframe’s that contains the ad. This is a common technique practiced by Malware and shady browser extentions which inject ads in a user’s browser, but it is unheard coming from an ISP. Many complaints we could find date back as far as 2014 and as evident from this Reddit post here, it is still a problem.

Image Snippet from IFF’s report

Even the ad content poses a big threat because most of it is straight up malware. BSNL being a state-owned entity supplies internet to many small towns and villages in India, where tech literacy is low so people in these regions become easy targets and this becomes a dangerous combination.

As IFF’s report correctly points out, this practice is illegal according to India’s own internet laws. IFF writes “The Department of Telecommunications also circulated a notice providing for minimum requirements of security to be met by Licensee, in line with the DoT’s licensing conditions in May 2011. It specifically expects measures to be in place against intrusion of malware, protection of information in networks and its facilities, basic updated security measures in compliance with statutory, regulatory, licensing or contractual obligations. BSNL appears to be clearly failing to meet these requirements.

Reddit Post Pointing out Diffrent ISPs

As this Reddit user (and several other) points out, other Internet Service Providers are doing the same. What’s worse is, MTNL is also a state-owned entity.

This tweet above details some of the shady URLs where users are directed through the ads. 

BSNL’s Financial Woes

BSNL has been in a financial crisis for quite some time now. Over the years there has been fierce competition between private telecom players in India and BSNL simply hasn’t been able to compete. This year salaries of its 1.76 lakh employees were delayed due to a major cash crunch affecting the company.

This somewhat explains why BSNL has such deals with shady ad networks. Paying users who entrust ISPs with their security and privacy shouldn’t have to put up with this. It’s highly distressing that an ISP, let alone a state-owned one would do this. Concerned authorities should take immediate action based on IFF’s report.

You can read IFF’s detailed report here


Leave a Reply

Your email address will not be published.

Close