Today, while surfing on Twitter, I noticed Brute Logic's Tweet about the JS event handler "onbeforescriptexecute", which makes a tag execute JS right before every <script> tag on the page starts execution.
I followed the link provided in the tweet anticipating that only one alert will be there because of the <script> tag that is already in the page, but I was surprised to see that actually two alert boxes appeared.
I inspected the source code of the page, and was thrilled to see a completely new <script> tag there, which was not there in the first place on the page, neither was it injected in the payload. See the following screenshot:
After some research on Google, I found out that the script gets injected by my ISP, Vodafone. This means that they are intercepting and eavesdropping on EVERY request I make to EVERY page that doesn't use HTTPS as protocol, and of course EVERYONE else's requests as well.
The script basically replaces all the images in a given page with low quality ones, saving bandwidth for Vodafone, and giving them the opportunity to inspect every request issued by the devices connected to them.
Reference: http://www.sphaero.org/blog:2012:0418_am_i_hacked_oh_it_s_just_vodafone
