StarHub’s illegal code injection

Some time ago, I decided to get the a cable TV set-top box from http://starhub.com. It works OK. Perhaps recorded one movie – but there is no way to extract it out so I think it has not been as useful from my point of view.

As it turns out, that service provides a “free” 1Mbps broadband access.  I already have internet access via my preferred service provider Super Internet. So, I reckoned it was good to have a 2nd line out.
I have both of my broadband links sitting on Fon spot access points running on different channels and SSIDs.  And life is good.
Recently, however, I began noticing that the link out of the StarHub link has some code injections being done on traffic that goes out on port 80. However, SSL Port 443 traffic is safe.
This code that is injected is as follows:
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”&gt;
<html xmlns=”http://www.w3.org/1999/xhtml“>
<head>
<meta http-equiv=”Content-Typecontent=”text/html; charset=UTF-8” />
<title>StarHub ToolBar</title>
<link href=”http://203.117.187.181/starhub/wishfi/toolbar.cssrel=”stylesheettype=”text/css” />
<script src=”http://203.117.187.181/starhub/wishfi/jquery.jstype=”text/javascript“></script>
<script src=”http://panel.singapore.wishfi.com/wapi.jstype=”text/javascript“></script>
<script language=”< span class=”webkit-html-attribute-value”>javascript“>
function toolbar(){
var showflag=document.getElementById(‘div1’).style.display;
if(showflag==”){
showbar();
}else{
displaybar();
}
}
function showbar(){
document.getElementById(‘div1′).style.display=’none’;
document.getElementById(‘div2’).style.display=”;
document.getElementById(“sbox2”).appendChild(document.getElementById(“smsBtn”));
document.getElementById(“smsBtn”).className = “sms_bg_btn”;
// $(“#table1”).hide();
//$(“#table2”).show();
}
function displaybar(){
document.getElementById(‘div1’).style.display=”;
document.getElementById(‘div2′).style.display=’none’;
document.getElementById(“sbox1”).appendChild(document.getElementById(“smsBtn”));
document.getElementById(“smsBtn”).className = “sms_sm_btn”;
}
var smsBtn,smsDIV,starHub = new wapi();
window.onload=function(){
smsBtn = document.getElementById(“smsBtn”);
if(typeof smsDIV == “undefined”){
smsDIV = starHub.createHover(smsBtn,”bottom”, 80);
smsDIV.innerHTML = “http://websms.starhub.com/websmsn/widget.jsp“;
}
}
function showDiv(){
$(smsDIV).slideToggle(“fast”);
}
</script>
<script type=”text/javascript“>
var _gaq = _gaq || [];
_gaq.push([‘_setAccount’, ‘UA-7004405-1’]);
_gaq.push([‘_setDomainName’, ‘.starhub.com’]);
_gaq.push([‘_trackPageview’]);
(function() {
var ga = document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async = true;
ga.src = (‘https:’ == document.location.protocol ? ‘https://ssl&#8217; : ‘http://www&#8217;) + ‘.google-analytics.com/ga.js’;
var s = document.getElementsByTagName(‘script’)[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</head>
<body>
<table width=”1000border=”0align=”centercellpadding=”0cellspacing=”0“>
<tr>
<td width=”77onClick=”displaybar();“><a href=”http://www.starhub.comtarget=”_blank“><img src=”http://203.117.187.181/starhub/wishfi/images/logo.pngwidth=”77height=”90border=”0” /></a></td>
<td width=”728onClick=”displaybar();“><div><script type=”text/javascript“>/* 728×90, created 07-30-2010, ad refreshed every 10 seconds.*/</script><script type=”text/javascriptsrc=”http://weblink.singapore.wishfi.com/startjs.php?lid=1349484171“></script></div></td>
<td background=”http://203.117.187.181/starhub/wishfi/images/left_top.png” ><!—->
<table width=”100%border=”0cellspacing=”0cellpadding=”0” >
<tr>
<td width=”160height=”90” >
<div class=”sm_barid=”div1style=”display:; z-index: 214748364“>
<table width=”161border=”0cellspacing=”0id=”table1cellpadding=”0” >
<tr>
<td height=”84“><table width=”161border=”0cellspacing=”0cellpadding=”0“>
<tr>
<td width=”66height=”84“><a href=”http://music.starhub.comclass=”music_sm_btntarget=”_blank“></a></td>
<td width=”66id=”sbox1onClick=”showDiv();target=”_blank“><a id=”smsBtnhref=”#class=”sms_sm_btn“></a></td>
<td width=”29onclick=”toolbar();“><a href=”#class=”Show_bar_btn“></a></td>
</tr>
</table>
</td>
</tr>
</table>
</div>
<div class=”sm_barid=”div2style=”margin-left:-127px!important;display: none; z-index: 214748364” >
<table width=”288border=”0cellspacing=”0cellpadding=”0” >
<tr>
<td width=”66height=”84“><a href=”http://music.starhub.comclass=”music_bg_btntarget=”_blank“></a></td>
<td width=”66id=”sbox2onClick=”showDiv();target=”_blank“><!–<a href=”#” class=”sms_bg_btn”></a>–></td>
<td width=”67“><a href=”http://play.starhub.com/starhubtv/video.doclass=”tv_bg_btntarget=”_blank“></a></td>
<td width=”60“><a href=”http://www.starhub.com/entertainment/tvguide.htmlclass=”guide_bg_btntarget=”_blank“></a></td>
<td width=”29onclick=”toolbar();“><a href=”#class=”Show_bar_btn_l“></a></td>
</tr>
</table>
</div>
</td>
<td valign=”toponClick=”displaybar();“><a href=”http://www.starhub.com/content/support/broadband/faqs/shleaderboardtoobar.htmlclass=”help_btntarget=”_blank“></a></td>
</tr>
</table></td>
</tr>
<tr onClick=”displaybar();“>
<td></td>
<td></td>
<td></td>
</tr>
</table>
<p onClick=”displaybar();“>&nbsp;</p>
<p onClick=”displaybar();“>&nbsp;</p>
</body>
</html>

If you click on that (they call it Leaderboard, I will call it LoserBoard) you get to their site which essentially says that you cannot opt out of it.  I think this form of code injection is illegal and StarHub deserves to be taken to task.  

Even though StarHub says that the broadband access is “free”, it is not really.  This price for using their HD box already covers this “free” access so I think they are being untruthful in doing this code injection.

It is interesting that even though their Loserboard has a “Close” button, clicking on it in when at a wikipedia.org page will cause the wikipedia page to have the vertical scroll bar (if there was one) to disappear leaving the resultant page un-navigable.  It does not matter if the browser is Chromium or Chrome or Firefox.

Here are some screenshots of this illegal code injection.

11 comments


  1. Starhub must be brought to justice for this.

    The “Leaderboard” is not part of convenience at all. It’s a total nuisance. Nice job breaking Wikipedia pages.

    I mean, just make an option to disable it for goodness sake. It’s coming out in December? Seriously, it doesn’t take long to code such a simple and trivial function. Does it really take more than a month to code?

    I mean, I appreciate all your other services, but this is just ridiculous.


  2. Yes, Starhub ought to be taken to task.
    It is wrong!! Does that mean when I subscribe or buy a service, the vendor are allowed to intrude into the privacy of my home or what I am doing.
    The Starhub intrusion has caused my internet to slow down and my Facebook Mafia Wars unplayable!!!
    Thinking of terminating the Cable service and return the bloody Hubstation.


  3. I rang starhub support bout this as I pay for a premium internet package and I still get this. The first person told me they were only in billing so I had to call the tech hel number, the tech help guy didn’t know about it, then couldn’t work the phone and accidentally hung up, the third guy claimed he didn’t know and wasted 15 minutes of my time before saying I had to call sales back and ask them- these people are beyond useless and criminally stupid. I’m changing companies- as much as I dislike Singtel, at least they are not dishonest and completely useless.


  4. found a fix for the problem. using privoxy. add a filter to remove the string “wapi” and the javascript no longers loads all the crap. let me know if you need more details =)

Leave a Reply