Third Comcast Website Flaw Exposes User Data In As Many Months

from the it's-Comcastic dept

Comcast has been dinged for a third significant website privacy vulnerability in almost as many months. Back in May, a bug in Comcast's website used to activate the company's Xfinity-branded routers opened the door to letting attackers trick the website into displaying the home address where the router is located, as well as the Wi-Fi name and password. Then last June, security researchers discovered that an API used by Comcast could be tricked into returning a swath of private customer data, including account numbers, a user's account address, and numerous details about a user's account, including what services are subscribed to.

Comcast's now back in the news again, with BuzzFeed reporting that yet another security flaw in Comcast's website has potentially exposed customer information. Security researcher Ryan Stevenson (who also discovered the previous two vulnerabilities) found that two new, previously-unreported vulnerabilities exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers.

One of the flaws let an attacker exploit an "in home authentication" portal set up by Comcast that let customers pay their bills without logging in. The portal asked users to verify their identity by showing them partial snippets of four potential home addresses. While this was designed to be convenient, it opened the door to a potential hacker spoofing a Comcast user's IP address to obtain sensitive data. Once alerted, Comcast fixed the vulnerability and required that users enter their cable and broadband credentials to pay their bills.

The other flaw was potentially more damning, since it exposed the last four digits of Comcast users' social security numbers:

"In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form."

Comcast, for its part, states that the vulnerabilities have been patched:

"We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."

Which is all well and good, but given the volume of sensitive data collected by telecom giants that also sell home phone service, wireless, security service, broadband, TV, and an ocean of other services, the number of website flaws in recent months remains troubling. Especially for a company that spent millions lobbying to kill FCC broadband privacy protections last year; protections that, among other things, required that ISPs be more transparent about what data is collected and sold, and quickly and transparently inform customers when their private data may have been improperly accessed.

Filed Under: flaws, passwords, privacy, security, xfinity
Companies: comcast

Some Comcast Customers Won't Get The Latest Broadband Upgrades Without Buying Cable TV

from the utterly-Comcastic dept

As we've often noted, Comcast has been shielded from the cord cutting trend somewhat thanks to its growing monopoly over broadband. As users on slow DSL lines flee telcos that are unwilling to upgrade their damn networks, they're increasingly flocking to cable operators for faster speeds. When they get there, they often bundle TV services; not necessarily because they want it, but because it's intentionally cheaper than buying broadband standalone.

And while Comcast's broadband monopoly has protected it from TV cord cutting somewhat, the rise in streaming competition has slowly eroded that advantage, and Comcast is expected to see see double its usual rate of cord cutting this year according to Wall Street analysts.

Comcast being Comcast, the company has a semi-nefarious plan B. Part of that plan is to abuse its monopoly over broadband to deploy arbitrary and unnecessary usage caps and overage fees. These restrictions are glorified rate hikes applied to non competitive markets, with the added advantage of making streaming video more expensive. It's a punishment for choosing to leave Comcast's walled garden.

But Comcast appears to have discovered another handy trick that involves using its broadband monopoly to hamstring cord cutters. Reports emerged this week that the company is upgrading the speeds of customers in Houston and parts of the Pacific Northwest, but only if they continue to subscribe to traditional cable television. The company's press release casually floats over the fact that only Comcast video customers will see these upgrades for now:

"Speed increases will vary based on the Xfinity Internet customers' current speed subscriptions. Those receiving the speed boost will benefit from an increase of 30 to 40 percent in their download speeds. Existing Xfinity Internet and X1 video customers subscribing to certain packages can expect to experience enhanced speeds this month."

As is usually the case, Comcast simply acted as if this was all just routine promotional experimentation (an argument that only works if you're unfamiliar with Comcast's other efforts to constrain emerging video competition):

"We asked Comcast a few questions, including whether it will make speed increases in other cities contingent on TV subscribership. A Comcast spokesperson didn't answer, but noted, "we test and introduce new bundles all the time." The spokesperson also said that the speed increase for Houston is the second in 2018, after one in January. The Oregon/SW Washington speed increase is apparently the first one this year."

In a healthy market with healthy regulatory oversight, either competition or adult regulatory supervision would prevent Comcast from using its broadband monopoly to constrain consumer video choices. But if you hadn't noticed, the telecom and TV sector and the current crop of regulators overseeing it aren't particularly healthy, and with the looming death of net neutrality you're going to see a whole lot more behavior like this designed to erect artificial barriers to genuine consumer choice and competition.

Filed Under: broadband, bundles, cable tv, competition, speeds, tv, upgrades, xfinity
Companies: comcast

Comcast Using Packet Injection To Push Its Own Ads Via WiFi, Apparently Oblivious To Security Concerns

from the because-it's-comcast dept

David Kravets, over at Ars Technica, has a good post detailing how Comcast is doing questionable packet injection to put its own javascript ads onto websites if you're surfing via Comcast's public WiFi access points. The practice was spotted by Ryan Singel, who saw the following "XFINITY WIFI: Peppy" ad scoot across his screen: Comcast, in typical Comcast fashion, appears to be totally and completely oblivious as to why this could possibly be seen as a problem:

A Comcast spokesman told Ars the program began months ago. One facet of it is designed to alert consumers that they are connected to Comcast's Xfinity service. Other ads remind Web surfers to download Xfinity apps, Comcast spokesman Charlie Douglas told Ars in telephone interviews.

The advertisements may appear about every seven minutes or so, he said, and they last for just seconds before trailing away. Douglas said the advertising campaign only applies to Xfinity's publicly available Wi-Fi hot spots that dot the landscape. Comcast customers connected to their own Xfinity Wi-Fi routers when they're at home are not affected, he said.

"We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.

It's a courtesy to hijack the page a person asked for and insert something that no one asked for on it? I don't think so. There's a reason that packet injection is considered an attack and a security risk -- and it's got nothing to do with courtesy.

Certainly, the website that Singel was browsing when he spotted it, Mediagzer, was not pleased about having its own site hijacked and defaced:

"Indeed, they were not ours," Gabe Rivera, who runs Mediagazer and Techmeme, said in an e-mail. In another e-mail, he said, "someone else is inserting them in a sneaky way."

Kravets also talks to Robb Topolski, the guy who first provided the evidence to show that Comcast was throttling BitTorrent a while back, kicking off one of the first big net neutrality fights (which resulted in the FCC slapping Comcast's wrists). Topolski notes that what they're doing here is technically equivalent:

To Topolski, what Comcast is now doing is no different from before: Comcast is adding data into the broadband packet stream. In 2007, it was packets serving up disconnection commands. Today, Comcast is inserting JavaScript that is serving up advertisements, according to Topolski, who reviewed Singel's data.

"It's the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider," he said. "Imagine every Web page with a Comcast bug in the lower righthand corner. It's the antithesis of what a service provider is supposed to do. We want Internet access, not another version of cable TV."

But, of course, to the big broadband players, the last few years have been all about them trying to make the internet much more like cable TV, where they get to act as the gatekeepers and have much more control. The ability to inject their own ads into various webpages is just another bonus.

Filed Under: ads, broadband, isps, packet injection, security, wifi, xfinity
Companies: comcast

Comcast Commercial Promotes Fast WiFi To Gamers... To Play Game With No Online Connection

from the because-comcast-thinks-you're-an-idiot dept

Comcast continues its efforts to present itself as one of the most out of touch and ridiculous companies out there, with a new commercial directed at videogamers, highlighting how fast Comcast's in-game WiFi is. Note how it's addressed to "real gamers." Just one problem, as "Mr. Comcast" goes on about how there's "no buffering" and how much better the video gaming experience is with Comcast's Xfinity WiFi, people pointed out that the game in question has no online play. The game is Ubisoft's Trials Fusion, which means that there's no reason there would be any buffering at all in the first place.

Mr. Comcast gets the gamers playing Trials Fusion. The game is indeed a shiny new title, released on PC and for the major gaming consoles (Xbox 360, Xbox One, and PlayStation 4) just a few weeks ago. The motorcycle tricks-and-racing game launched to generally positive reviews that lauded its mechanics and features. But reviewers also mentioned one notable feature that the game does not have: an online multiplayer mode.

No online mode, no net connection. No network connection, no network lag.

“Do you notice any buffering?” Mr. Comcast then asks.

The gamers happily reply that they do not! And of course they don’t: the game ships on a disc or as a one-time digital download. It’s not on a streaming or cloud service like a Netflix or YouTube video; there’s nothing to buffer. That would be akin to asking if you see Microsoft Word buffering when you type a report on your work computer. Your software might be running slowly, but “buffering” is definitely not the issue.

As Re/code points out, this doesn't exactly help Comcast's reputation. And, if you want some amusement, this Reddit comment thread can't be beat: It really takes a special kind of cluelessness to target "real gamers" with an ad so ridiculously misleading, and which those very same "real gamers" will almost immediately call out as bogus.

Filed Under: broadband, multiplayer, trials fusion, video games, xfinity
Companies: comcast, ubisoft