Security Flaws On Comcast’s Login Page Exposed Customers’ Personal Information

After a BuzzFeed News inquiry, Comcast patched the vulnerabilities.

Posted on August 8, 2018, at 7:48 p.m. ET




Joe Raedle / Getty Images

Comcast Xfinity inadvertently exposed the partial home addresses in addition to also Social Security numbers of more than 26.5 million customers, according to security researcher Ryan Stevenson, who discovered the security flaws. Two previously unreported vulnerabilities inside the high-speed internet service provider’s online customer portal made the idea easy for even an unsophisticated hacker to access This kind of sensitive information.

After BuzzFeed News reported the findings to Comcast, the company patched the flaws. Spokesperson David McGuire told BuzzFeed News, “We quickly investigated these issues in addition to also within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, in addition to also we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in This kind of report.”

While Comcast has not found any foul play yet, its review is actually ongoing.

One of the flaws could be exploited by going to an “in-home authentication” page where customers can pay their bills without signing in. The portal asked customers to verify their account by choosing by one of four partial home addresses the idea suggested, if the device was (or seemed like the idea was) connected to the customer’s home network. If a hacker obtained a customer’s IP address in addition to also spoofed Comcast using an “X-forwarded-for” technique, they could repeatedly refresh This kind of login page to reveal the customer’s location. which’s because each time the page refreshed, three addresses might change, while one address, the correct address, remained the same.

Eventually, the page might show the first digit of the street number in addition to also first three letters of the correct street name, while asterisks hid the remaining characters. A hacker could then use IP lookup websites to determine the city, state, in addition to also postal code of the partial address.


BuzzFeed News

The former “in-home authentication” portal for Comcast customers.

After learning of the vulnerability, Comcast disabled in-home authentication. currently, customers need to manually input personal information to verify their accounts.

This kind of vulnerability was particularly easy to exploit — in addition to also use to target someone. the idea’s simple to obtain someone’s IP address (or “Internet Protocol”), a string of numbers which links your internet activity to the Wi-Fi network you’re using. Web administrators can see the IP addresses of everyone who visits their website. Many forums also disclose users’ IP addresses, along with their usernames. A malicious actor can also send someone a link designed specifically to obtain a target’s IP address.

While an IP address alone is actually not sensitive information, paired with the knowledge of someone’s internet service provider, the idea can help a bad actor confirm their target’s specific location. in addition to also often, the idea’s fairly easy to figure out someone’s internet service provider, or ISP, because an area is actually typically limited to one or two high-speed internet options, thanks to the consolidation of internet companies.

inside the second vulnerability which Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in various other words, repeatedly try random four-digit combinations until the correct combination is actually guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program which runs until the correct Social Security number is actually inputted into the form.

After being contacted by BuzzFeed News, Comcast put a strict rate limit on the portal.


BuzzFeed News

The Comcast Authorized Dealer page requiring Social Security information.

Social Security information is actually particularly sensitive because many companies, including credit card companies in addition to also wireless service providers, use the last four digits of your Social Security number to verify your identity over the phone or online. Hackers can use This kind of four-digit combination to steal your identity by tricking customer service representatives into handing over online account access.

“An attacker having partial address information in addition to also combining the idea with partial Social Security numbers information is actually a recipe for disaster,” said Jessy Irwin, head of security at Tendermint. The last four digits of a Social, according to Irwin, can get an attacker into nearly every type of account.

“We truly need to move away by using those kinds of information,” said Irwin, who said even partial Social Security in addition to also address information is actually too risky in addition to also too easy to find in a web search or account settings.

Security researchers like Stevenson who find vulnerabilities in Comcast products in addition to also services can report them through a submission form. However, the company’s disclosure policy states which the idea “does not offer a bounty program or provide compensation in exchange for security vulnerability submissions,” unlike various other reporting programs which companies like Github, Google, in addition to also Microsoft offer. (Stevenson did not submit his findings to Comcast.)

While internet service providers like Comcast aren’t necessarily less secure than various other websites, “they’re just more risky because of the data they hold,” said Irwin. which data includes ties to a cellphone account, which can be used to hijack a SIM card in addition to also bypass two-step verification.

The disclosure of these vulnerabilities follows a slew of massive breaches over the past year, including credit monitoring firm Equifax, Yahoo, the UK’s National Health Service, in addition to also, most recently, Reddit. These hacks show the increasing eagerness (in addition to also ability) of hackers to access sensitive data, in addition to also the importance of implementing security measures which keep users’ personal information safe. the idea’s also worth noting which when companies like Equifax in addition to also Yahoo recently reported their massive data breaches, both later found the leaks affected more users in addition to also data than initially announced.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

20 − 4 =