This kind of crap is why everyone should use HTTPS whenever possible

AT&T got caught with its hands in the proverbial cookie jar. It was testing injecting advertising at one of its airport Wi-Fi hotspot locations, and one of the nation’s leading privacy advocates with expert technical proficiency was passing through. Jonathan Mayer wrote up his experience on Tuesday; AT&T said on Wednesday it was an “experiment” it’s already discontinued. Mayer’s curiosity was piqued when sites that feature no advertising (academic and government) and that already had some advertising sported more, including a banner stretched across the bottom, and pop-up ads that couldn’t be dismissed before a period of time had passed. AT&T was injecting JavaScript into webpages, intercepting them and rewriting them on the fly, using a third-party ad network’s code to deliver the overlaid ads. In a statement provided by a spokesperson, AT&T said: “Our industry is constantly looking to strike a balance between the experience and economics of free Wi-Fi. We trialed an advertising program for a limited time in two airports (Dulles and Reagan National) and the trial has ended. The trial was part of an ongoing effort to explore alternate ways to deliver a free Wi-Fi service that is safe, secure and fast.” It should never have begun.