My tweets and the previous post have gone viral. Lots of reactions both positive and negative. Some retweeted immediately and some calling me a fool for writing about injecting content within an SSL connection. Amazing to see all the responses. There is a pattern to be seen with people who reacted negatively: they tend to don’t care about the ads.
Here’s my said tweet:
Jangan pake KlikBCA di jaringan @xl123 kecuali login credential lo mau lo share sama xl, kalo begitu monggo. pic.twitter.com/AvNfUuhORN
— Batista Harahap (@tista) October 23, 2013
Here are some replies:
@tista baru baca blog nya. iya, dengan @XL123 naro web asli di iframe, dia bisa ngebaca apa yang di key in. gila aja. /@zmaintance
— snydez (@snydez) October 24, 2013
@tista @XL123 anda makai hp SMARTPHONE tapi otk anda tidak membuktikan anda sebagai pengguna yg smart :) itu hanya ads dari xl :)
— Adzuan (@zmaintance) October 23, 2013
@tista @kakilangit @XL123 eh memang ngga https?
— Heriyadi Janwar (@heriyadi) October 24, 2013
alasan kekhawatiran kemanan tersebut diulas @tista di http://t.co/WKzp1Q98FI cc @XL123
— Ivan (@stevanushk) October 24, 2013
@tista @xl123 hoax... karena klikbca itu menggunakan HTTPS artinya layer di enkripsi... jd jgn buat statement yang ga2 klo ga ngerti mas
— Kendi (@kendivhy) October 24, 2013
@za_ka @xl123 @tista situ bisa baca traffic ssl encrypted 128bit? wah otak lu secanggih mainframe CIA klo gituh xiixi pic.twitter.com/o4gHOFjWwq
— Kendi (@kendivhy) October 24, 2013
@tista @za_ka @XL123 sy sdh baca, tp statement situ barusan ttg share credential itu tidak sahih, silahkan lampirkan bukti traffic kl benar
— Kendi (@kendivhy) October 24, 2013
@BigGuzz @za_ka @xl123 @tista ini yg dilihat dengan mata telanjang untuk traffic k arah https klikbca.. mana pass sy? pic.twitter.com/lVUPb5pI7F
— Kendi (@kendivhy) October 24, 2013
What some of the repliers didn’t notice was the juicy stuffs happening behind the scene not even touching the network layer or its HTTPS protocol, doesn’t have to. Just now I tried accessing KlikBCA and the ads are gone. People who tried now may not get the same page I got from my first screenshot.
If you’ve heard of Phishing then you’ll know that it doesn’t take sophisticated means to get credentials. You fake a login page as if it’s coming from the rightful owner. This is what actually was happening with me. XL served me a login page of KlikBCA which XL had injected their own codes. The codes displayed ads on a connection I already paid for.
Other than the ads display, the measure of power XL can utilize with this kind of unethical practice is only depending on your imaginations. XL are serving web pages as if the web pages are coming from KlikBCA.com or any other domain for that matter. They have within their grasp the ability to alter, intercept, modify and also collect information from us. Not by using complicated SSL penetration technique, you don’t have too. A few lines of JavaScript is enough.
Here’s a jQuery style demo of how you can do this with KlikBCA as the target:
So we as users are on XL’s mercy, if they decide to do nasty stuffs or worst, XL doesn’t even know they’re doing nasty things to us. It’s just too easy. I don’t know what XL is doing so I won’t trust them with any of my web based authentications and you should too.
@kendivhy is also saying that the added bytes that users have to download are free of charge from XL. This is one of the more absurd statement I’ve read so far. For every website XL is injecting ads, our user experience quickly degrades. Why? The download times multiplies. As a web developer, I do work to shave off download times and XL just made years of work into the garbage. And why do you give in to the ads XL is serving? We’ve paid for our 3G connection remember?
Bottomline, your opinions are your own and this is mine. I can’t agree with these kind of practices. Period.