Third Comcast Website Flaw Exposes User Data In As Many Months
from the it's-Comcastic dept
Comcast has been dinged for a third significant website privacy vulnerability in almost as many months. Back in May, a bug in Comcast's website used to activate the company's Xfinity-branded routers opened the door to letting attackers trick the website into displaying the home address where the router is located, as well as the Wi-Fi name and password. Then last June, security researchers discovered that an API used by Comcast could be tricked into returning a swath of private customer data, including account numbers, a user's account address, and numerous details about a user's account, including what services are subscribed to.
Comcast's now back in the news again, with BuzzFeed reporting that yet another security flaw in Comcast's website has potentially exposed customer information. Security researcher Ryan Stevenson (who also discovered the previous two vulnerabilities) found that two new, previously-unreported vulnerabilities exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers.
One of the flaws let an attacker exploit an "in home authentication" portal set up by Comcast that let customers pay their bills without logging in. The portal asked users to verify their identity by showing them partial snippets of four potential home addresses. While this was designed to be convenient, it opened the door to a potential hacker spoofing a Comcast user's IP address to obtain sensitive data. Once alerted, Comcast fixed the vulnerability and required that users enter their cable and broadband credentials to pay their bills.
The other flaw was potentially more damning, since it exposed the last four digits of Comcast users' social security numbers:
"In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form."
Comcast, for its part, states that the vulnerabilities have been patched:
"We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."
Which is all well and good, but given the volume of sensitive data collected by telecom giants that also sell home phone service, wireless, security service, broadband, TV, and an ocean of other services, the number of website flaws in recent months remains troubling. Especially for a company that spent millions lobbying to kill FCC broadband privacy protections last year; protections that, among other things, required that ISPs be more transparent about what data is collected and sold, and quickly and transparently inform customers when their private data may have been improperly accessed.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: flaws, passwords, privacy, security, xfinity
Companies: comcast
Reader Comments
Subscribe: RSS
View by: Time | Thread
Fishy Logic
[ link to this | view in chronology ]
Re: Fishy Logic
Lose the case, trout across your face. Sounds good to me.
[ link to this | view in chronology ]
It's not a bug
[ link to this | view in chronology ]
Comcast and SSNs
[ link to this | view in chronology ]
They provide a service and bill monthly, probably in advance so there is no need to look at your credit rating but I imagine they do anyway - because why not? Do they also vary the rate you are charged based upon your credit rating? That seems to be what the cool kids are doing these days.
[ link to this | view in chronology ]
Re:
And the government has fed into the idea that you use SSNs as a form of identification.
[ link to this | view in chronology ]
Re: Re:
They lie.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Well there are laws... oh wait Experian still exists.
The cost of providing security is more than what it costs them to settle after the breach (and hey isn't that a tax writeoff??) it will not improve.
They face no legal repercussions (THANKS ARBITRATION!), they face no competition (THANKS WELL PLACED CONTRIBUTIONS!), they won't get better.
[ link to this | view in chronology ]