- Fans call out Madonna for edited Eurovision video Tuesday 9:36 PM
- Partnered Twitch streamer temporarily banned for airing troll’s racist message Tuesday 8:45 PM
- Reddit theory says fans are wrong about who won ‘Game of Thrones’ Tuesday 6:52 PM
- Elon Musk hires ‘absolute unit’ sheep meme creator to be Tesla’s social media manager Tuesday 6:12 PM
- Jason Momoa stands by his Khaleesi after the ‘Game of Thrones’ finale Tuesday 4:05 PM
- Airbnb, 23andMe partner for creepy heritage travel recommendations Tuesday 3:26 PM
- Rep. Katie Porter goes viral again for trouncing Ben Carson (updated) Tuesday 3:26 PM
- This deepfake takes Bill Hader’s Schwarzenegger impression to the next level Tuesday 2:58 PM
- Wanda Sykes rails against Trump and offers much-needed perspective in ‘Not Normal’ Tuesday 2:41 PM
- Man arrested after allegedly threatening to shoot YouTube employees Tuesday 2:13 PM
- Some House Dems are backing away from the Save the Internet Act Tuesday 1:40 PM
- Thousands sign petition calling for Danny DeVito to play Wolverine Tuesday 1:02 PM
- Jason Mitchell fired from ‘Desperados’ and ‘The Chi’ after misconduct allegations Tuesday 12:36 PM
- Police raid Black woman’s house after white neighbor complains about loud Malcolm X speeches Tuesday 12:20 PM
- ‘Transfixed’ says it’s a ‘breakthrough’ series, but it still fetishizes trans bodies Tuesday 11:04 AM
Security researcher Ryan Stevenson uncovered the security flaws, which Comcast patched after BuzzFeed News reached out about the issue. The security problem stemmed from a pair of vulnerabilities on the service provider’s online login portal. Comcast hasn’t found any evidence of foul play but is continuing to review its systems.
“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers,” spokesperson David McGuire told BuzzFeed News. “We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
The first flaw had to do with Comcast’s “in-home authentication” page. This page, which let customers pay their bills without needing to sign in, verified users by asking them to select the correct account address (partially obscured) from a list of four options. Unfortunately, it was possible for a hacker to gain access to accounts via this page by obtaining a user’s IP address, spoofing the page, and then refreshing the page multiple times. With each refresh, the incorrect address options would change, while the correct address would remain the same. A hacker could cross-reference that partial address information with data from an IP lookup site to then glean a user’s full address.
The second Comcast security flaw was found on its sign-up page used by Authorized Dealers (sales employees not located at Comcast retail centers). With a customer’s billing address, a hacker could exhaustively search the system to figure out the last four digits of the customer’s Social Security number. With no limit on the number of attempts on the Social Security prompt, a program could be used to hack this.
Comcast has since disabled its “in-home authentication” feature; customers now must type in personal information by hand to verify their account ownership. It also put a rate limit on the Authorized Dealers portal.
Both address information and Social Security information are poor means of user authentication; if accurately gleaned by a hacker, a user’s identity could be at risk.
H/T BuzzFeed News
Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.