Third Comcast Website Flaw Exposes User Data In As Many Months

from the it's-Comcastic dept

Comcast has been dinged for a third significant website privacy vulnerability in almost as many months. Back in May, a bug in Comcast's website used to activate the company's Xfinity-branded routers opened the door to letting attackers trick the website into displaying the home address where the router is located, as well as the Wi-Fi name and password. Then last June, security researchers discovered that an API used by Comcast could be tricked into returning a swath of private customer data, including account numbers, a user's account address, and numerous details about a user's account, including what services are subscribed to.

Comcast's now back in the news again, with BuzzFeed reporting that yet another security flaw in Comcast's website has potentially exposed customer information. Security researcher Ryan Stevenson (who also discovered the previous two vulnerabilities) found that two new, previously-unreported vulnerabilities exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers.

One of the flaws let an attacker exploit an "in home authentication" portal set up by Comcast that let customers pay their bills without logging in. The portal asked users to verify their identity by showing them partial snippets of four potential home addresses. While this was designed to be convenient, it opened the door to a potential hacker spoofing a Comcast user's IP address to obtain sensitive data. Once alerted, Comcast fixed the vulnerability and required that users enter their cable and broadband credentials to pay their bills.

The other flaw was potentially more damning, since it exposed the last four digits of Comcast users' social security numbers:

"In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form."

Comcast, for its part, states that the vulnerabilities have been patched:

"We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."

Which is all well and good, but given the volume of sensitive data collected by telecom giants that also sell home phone service, wireless, security service, broadband, TV, and an ocean of other services, the number of website flaws in recent months remains troubling. Especially for a company that spent millions lobbying to kill FCC broadband privacy protections last year; protections that, among other things, required that ISPs be more transparent about what data is collected and sold, and quickly and transparently inform customers when their private data may have been improperly accessed.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: flaws, passwords, privacy, security, xfinity
Companies: comcast


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    NobleThought (profile), 10 Aug 2018 @ 7:46am

    Fishy Logic

    I would really like to see the people that propose stupid things like this get slapped. Not slapped with a lawsuit. Just with a fish. It would amuse me and hopefully teach them a smelly lesson.

    link to this | view in thread ]

  2. icon
    Stephen T. Stone (profile), 10 Aug 2018 @ 8:37am

    Re: Fishy Logic

    Lose the case, trout across your face. Sounds good to me.

    link to this | view in thread ]

  3. icon
    DannyB (profile), 10 Aug 2018 @ 9:58am

    It's not a bug

    It's just Comcast trying to be publicly transparent. With your personal information.

    link to this | view in thread ]

  4. icon
    AR Libertarian (profile), 10 Aug 2018 @ 10:26am

    Comcast and SSNs

    After all the data breaches, I might as well just put my family's SSNs on my car windows. Everyone has them anyway.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 10 Aug 2018 @ 11:24am

    Why would an isp need your ssn? This makes no sense.

    They provide a service and bill monthly, probably in advance so there is no need to look at your credit rating but I imagine they do anyway - because why not? Do they also vary the rate you are charged based upon your credit rating? That seems to be what the cool kids are doing these days.

    link to this | view in thread ]

  6. icon
    James Burkhardt (profile), 10 Aug 2018 @ 12:21pm

    Re:

    To identify you with a 'unique' numer. Because of their monopoly status, you either have to give them your SSN, or go without. Similarly, Power and Water companies also require you to give up information they shouldn't store longer than necessary, but they do.

    And the government has fed into the idea that you use SSNs as a form of identification.

    link to this | view in thread ]

  7. icon
    Ninja (profile), 10 Aug 2018 @ 12:32pm

    Aaaan it will keep happening as long as no meaningful punishments are delivered.

    link to this | view in thread ]

  8. icon
    That Anonymous Coward (profile), 10 Aug 2018 @ 1:05pm

    Well the customers can always move to another provide.... oh yeah.

    Well there are laws... oh wait Experian still exists.

    The cost of providing security is more than what it costs them to settle after the breach (and hey isn't that a tax writeoff??) it will not improve.

    They face no legal repercussions (THANKS ARBITRATION!), they face no competition (THANKS WELL PLACED CONTRIBUTIONS!), they won't get better.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 10 Aug 2018 @ 2:39pm

    Re: Re:

    When it created the SS admin the government specifically stipulated that the SSN would not be used for identification.

    They lie.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.