How a South African ISP hacks it subscribers each month

Telkom are hacking their users

Thousands if not millions of online users are at risk because of an oversight by the South African ISP Telkom. No doubt initiated with practical intentions, Telkom has a mechanism to inform you via pop-up that your data allowance has reached a certain percentage of its limit. The problem with them delivering this small bit of antiquated information is that it is HTML Injection and reveals that Telkom proxies all their users traffic.

HTML Injection is a common hacking method where the requested code(HTML) for a website is returned to you in a modified form with someones own code inserted to serve various purposes.

Telkom HTTP Injection

Telkom injecting their own script into users browsers

Another step in this process is what happens in regards to DNS where their inserted Javascript references this IP: (specifically a reverse lookup) which oddly forward resolves to which is a non-recursive name server running on Citrix. It would make sense that this is an enterprise DNS server to resolve  queries any of their tools might have. The problem with this is that after injection you could be leaking DNS lookups.

On a side note in regards to DNS in relation to Telkom I have read of an ADSL connection breaking  because the default name servers where changed to OpenDNS (, Once they were changed back to Telkom’s the connection went back up because DNS requests were resolving. It would make sense to try force people into using their DNS servers to facilitate easy troubleshooting and tech support, but it could be to funnel users in to monitor their web traffic. Telkom is partially state owned.

Once Telkom starts injecting code into your browser a side effect is that it will cripple the functionality of some websites hindering your quality of service and breaking sites. How many  out there have seen the pop-up and clicked on it? How sure are they that it was in fact Telkom’s pop-up that they clicked on to remove it? What other traffic has been interfered with through their proxies?



Pro-Tip: their injection can only work on HTTP and not HTTPS so there is some relief from this inconvenient and dangerous code injection. Installing the HTTPS Everywhere plugin will help mitigate the injection and is a recommended plugin to run regardless. Alternatively install the Tor browser.


EDIT: this article made it onto the front page of Hacker News


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s