- The 10 best science podcasts to teach you about our world 1 Year Ago
- How to make sure you have access to every Instagram filter 1 Year Ago
- Trump accuses Jewish Democrats of having ‘great disloyalty’ or a ‘lack of knowledge’ Tuesday 8:02 PM
- 1 million ‘anonymous’ users of popular porn site exposed in breach Tuesday 6:56 PM
- Khloé Kardashian angers followers with a calorie-counting joke about True Tuesday 6:14 PM
- Spider-Man may no longer be part of the Marvel Cinematic Universe Tuesday 5:28 PM
- Robert De Niro’s company is suing ex-employee for binge-watching Netflix at work Tuesday 4:41 PM
- Intentionally misgendering a character could get you banned from Borderlands 3 Tuesday 4:06 PM
- Facebook pulls Trump re-election ad for targeting ‘strong women’ Tuesday 4:03 PM
- Kamala Harris says she will restore net neutrality if elected Tuesday 3:16 PM
- All 8 of the ‘Rocky’ movies, ranked Tuesday 2:50 PM
- Everything you need to know about the Facebook conservative bias report Tuesday 2:35 PM
- Study links emoji use to more sex Tuesday 2:10 PM
- The chicken sandwich war is in full throttle on Twitter Tuesday 1:47 PM
- Netflix’s ‘Sextuplets’ proves Marlon Wayans is no Eddie Murphy—or even Mike Myers Tuesday 1:31 PM
Security researcher Ryan Stevenson uncovered the security flaws, which Comcast patched after BuzzFeed News reached out about the issue. The security problem stemmed from a pair of vulnerabilities on the service provider’s online login portal. Comcast hasn’t found any evidence of foul play but is continuing to review its systems.
“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers,” spokesperson David McGuire told BuzzFeed News. “We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
The first flaw had to do with Comcast’s “in-home authentication” page. This page, which let customers pay their bills without needing to sign in, verified users by asking them to select the correct account address (partially obscured) from a list of four options. Unfortunately, it was possible for a hacker to gain access to accounts via this page by obtaining a user’s IP address, spoofing the page, and then refreshing the page multiple times. With each refresh, the incorrect address options would change, while the correct address would remain the same. A hacker could cross-reference that partial address information with data from an IP lookup site to then glean a user’s full address.
The second Comcast security flaw was found on its sign-up page used by Authorized Dealers (sales employees not located at Comcast retail centers). With a customer’s billing address, a hacker could exhaustively search the system to figure out the last four digits of the customer’s Social Security number. With no limit on the number of attempts on the Social Security prompt, a program could be used to hack this.
Comcast has since disabled its “in-home authentication” feature; customers now must type in personal information by hand to verify their account ownership. It also put a rate limit on the Authorized Dealers portal.
Both address information and Social Security information are poor means of user authentication; if accurately gleaned by a hacker, a user’s identity could be at risk.
H/T BuzzFeed News
Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.