Most solutions for getting around the captive portals used in $7 airport wireless services involve sniffing the network and spoofing authenticated MAC addresses. I stumbled across an old post from 2006 by Felix Geisendörfer who discovered that some of these proxy systems are set up to allow pictures through before payment.

Presumably this is to allow external custom imagery and analytics tracking bugs to be accessed during the sign-in process. The funny thing is that the proxy allows files through based on a string comparison on the requested URL, and it’s easily fooled.

Without any hope of success I typed into my browser’s adress bar, and to my big surprise I saw the page you see when you follow the link right now. The next thing I typed in was: but that didn’t work. But I went on, and found that url’s like worked like a charm. I found that I could easily visit sites like slashdot, google, or even this weblog, when adding a ?.jpg at the end of the url. The next logical step was to automate that. I downloaded greasemonkey.xpi?.jpg (*g*) and wrote a 4 line js script that would add ?.jpg to every link in a document. That way I was able to browse most sites without a hassle.

I wonder how prolific this loophole is. Next time you’re in an airport (or a hotel), give it a shot and let us know how it works for you.

Hacking a commercial airport WLAN