Last Friday, October 4th 2013 I was hanging out with some friends and while searching for a place to do so, I opened up Urbanesia on it mobile web http://m.urbanesia.com/. While I was searching, I noticed there’s a banner displayed on top of the page, it was definitely not Urbanesia’s and so I got curious.
When digging into the mobile web source code, we didn’t activated any codes that’ll lead to any banner placements on top so this banner must surely be injected by a third party. My mind were full of technical ideas translating into security breaches/flaws making the injection a reality.
So the culprit is XL definitely since they also took the time to display their logo on the banner. Here’s a screenshot.
This is most definitely a low blow by XL. They’re practically monetizing using our content and also displaying ads on a 3G connection I already paid for. For both the content provider and user, this is a very unethical and disgraceful act to say the least.
My blog post here will talk more about the technicalities on how XL is able to do this. I won’t be 100% correct but I’ll settle for 99%.
XL’s technique has a flaw. Try refreshing Urbanesia’s mobile web and soon you’ll notice that in some cases, it will show code fragments instead of the website. Why? Urbanesia’s mobile uses Google Analytics server side implementation to track our statistics. By doing so, we have a small
ga.php on our server to track users. Here are the codes below.
The script displays a small 1x1 GIF file and I made some modifications to only track users and not bots. Now instead of showing the GIF file, it showed code fragments. They mistakenly thought the
ga.php file for a document when in fact it’s an image. The
Content-Type was correct as
image/gif but I think they filter by looking at its file extension. Here’s the screenshot.
ibn_complete_20130930.min.js and a more readable version named
ibn_complete_20130930.js. Here’s a Github Gist of the readable version: https://gist.github.com/tistaharahap/6837508.
You’ll notice that they included their development and production URLs intact within the source code. They also included jQuery with the codes. When looking at the codes, they were only doing minimal DOM manipulation using jQuery and yet the bloated user’s download size with the whole source code.
What got me more pissed off than before, I found out that Urbanesia’s content was served as an
IFRAME inside their HTML document. There were placeholders for top, left, right and bottom banners. But if you see the screenshots above, the domain of the website is still Urbanesia’s. So basically XL did not only modified contents, they also manipulate users into believing that the ads are coming from Urbanesia’s server. This disgusts me.
You see above, it’s ridiculously inappropriate at all. Urbanesia did not consent to anything like this at all nor there were any notifications to our part about their practices. This is just wrong.
My tweets were responded by friends in the startup community and also from outside the community. The responds were in Facebook, I’m auto posting tweets to Facebook by the way. I can’t represent them as this blog post is my personal thoughts but suffice to say, my thoughts are not much different than theirs.
So whether you’re a content provider or a user, we are both offended by this kind of practice by XL. The big boys said that they are writing a protest letter to XL, let’s see how this can stop XL from violating our rights. Yes we live in Indonesia which gets me even more pissed off. If you wanna help, retweet this blog post and let more people know.
DISCLAIMER: While I work at Urbanesia, this blog post is my personal thoughts and therefore does not imply the views of Urbanesia as an entity.