A Comcast security flaw on its Xfinity login page exposed personal customer data, including partial home addresses and Social Security numbers, of more than 26.5 million subscribers.
Security researcher Ryan Stevenson uncovered the security flaws, which Comcast patched after BuzzFeed News reached out about the issue. The security problem stemmed from a pair of vulnerabilities on the service provider’s online login portal. Comcast hasn’t found any evidence of foul play but is continuing to review its systems.
“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers,” spokesperson David McGuire told BuzzFeed News. “We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
The first flaw had to do with Comcast’s “in-home authentication” page. This page, which let customers pay their bills without needing to sign in, verified users by asking them to select the correct account address (partially obscured) from a list of four options. Unfortunately, it was possible for a hacker to gain access to accounts via this page by obtaining a user’s IP address, spoofing the page, and then refreshing the page multiple times. With each refresh, the incorrect address options would change, while the correct address would remain the same. A hacker could cross-reference that partial address information with data from an IP lookup site to then glean a user’s full address.
The second Comcast security flaw was found on its sign-up page used by Authorized Dealers (sales employees not located at Comcast retail centers). With a customer’s billing address, a hacker could exhaustively search the system to figure out the last four digits of the customer’s Social Security number. With no limit on the number of attempts on the Social Security prompt, a program could be used to hack this.
Comcast has since disabled its “in-home authentication” feature; customers now must type in personal information by hand to verify their account ownership. It also put a rate limit on the Authorized Dealers portal.
Both address information and Social Security information are poor means of user authentication; if accurately gleaned by a hacker, a user’s identity could be at risk.
H/T BuzzFeed News