Third Comcast Website Flaw Exposes User Data In As Many Months
from the it's-Comcastic dept
Comcast has been dinged for a third significant website privacy vulnerability in almost as many months. Back in May, a bug in Comcast’s website used to activate the company’s Xfinity-branded routers opened the door to letting attackers trick the website into displaying the home address where the router is located, as well as the Wi-Fi name and password. Then last June, security researchers discovered that an API used by Comcast could be tricked into returning a swath of private customer data, including account numbers, a user’s account address, and numerous details about a user’s account, including what services are subscribed to.
Comcast’s now back in the news again, with BuzzFeed reporting that yet another security flaw in Comcast’s website has potentially exposed customer information. Security researcher Ryan Stevenson (who also discovered the previous two vulnerabilities) found that two new, previously-unreported vulnerabilities exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers.
One of the flaws let an attacker exploit an “in home authentication” portal set up by Comcast that let customers pay their bills without logging in. The portal asked users to verify their identity by showing them partial snippets of four potential home addresses. While this was designed to be convenient, it opened the door to a potential hacker spoofing a Comcast user’s IP address to obtain sensitive data. Once alerted, Comcast fixed the vulnerability and required that users enter their cable and broadband credentials to pay their bills.
The other flaw was potentially more damning, since it exposed the last four digits of Comcast users’ social security numbers:
“In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast?s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers? Social Security numbers. Armed with just a customer?s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer?s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.”
Comcast, for its part, states that the vulnerabilities have been patched:
“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers? security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
Which is all well and good, but given the volume of sensitive data collected by telecom giants that also sell home phone service, wireless, security service, broadband, TV, and an ocean of other services, the number of website flaws in recent months remains troubling. Especially for a company that spent millions lobbying to kill FCC broadband privacy protections last year; protections that, among other things, required that ISPs be more transparent about what data is collected and sold, and quickly and transparently inform customers when their private data may have been improperly accessed.
Filed Under: flaws, passwords, privacy, security, xfinity
Companies: comcast
Comments on “Third Comcast Website Flaw Exposes User Data In As Many Months”
Fishy Logic
I would really like to see the people that propose stupid things like this get slapped. Not slapped with a lawsuit. Just with a fish. It would amuse me and hopefully teach them a smelly lesson.
Re: Fishy Logic
Lose the case, trout across your face. Sounds good to me.
It's not a bug
It’s just Comcast trying to be publicly transparent. With your personal information.
Comcast and SSNs
After all the data breaches, I might as well just put my family’s SSNs on my car windows. Everyone has them anyway.
Why would an isp need your ssn? This makes no sense.
They provide a service and bill monthly, probably in advance so there is no need to look at your credit rating but I imagine they do anyway – because why not? Do they also vary the rate you are charged based upon your credit rating? That seems to be what the cool kids are doing these days.
Re: Re:
To identify you with a ‘unique’ numer. Because of their monopoly status, you either have to give them your SSN, or go without. Similarly, Power and Water companies also require you to give up information they shouldn’t store longer than necessary, but they do.
And the government has fed into the idea that you use SSNs as a form of identification.
Re: Re: Re:
When it created the SS admin the government specifically stipulated that the SSN would not be used for identification.
They lie.
Aaaan it will keep happening as long as no meaningful punishments are delivered.
Well the customers can always move to another provide…. oh yeah.
Well there are laws… oh wait Experian still exists.
The cost of providing security is more than what it costs them to settle after the breach (and hey isn’t that a tax writeoff??) it will not improve.
They face no legal repercussions (THANKS ARBITRATION!), they face no competition (THANKS WELL PLACED CONTRIBUTIONS!), they won’t get better.