Today, while surfing on Twitter, I noticed Brute Logic’s Tweet about the JS event handler “onbeforescriptexecute”, which makes a tag execute JS right before every tag on the page starts execution.
I followed the link provided in the tweet anticipating that only one alert will be there because of the tag that is already in the page, but I was surprised to see that actually two alert boxes appeared.
I inspected the source code of the page, and was thrilled to see a completely new tag there, which was not there in the first place on the page, neither was it injected in the payload. See the following screenshot:
After some research on Google, I found out that the script gets injected by my ISP, Vodafone. This means that they are intercepting and eavesdropping on EVERY request I make to EVERY page that doesn’t use HTTPS as protocol, and of course EVERYONE else’s requests as well.
The script basically replaces all the images in a given page with low quality ones, saving bandwidth for Vodafone, and giving them the opportunity to inspect every request issued by the devices connected to them.