- Here’s every show that was announced at the Apple TV+ kickoff Today 3:53 PM
- ‘Shazam!’ embraces the spectacle and heart of the superhero genre Today 3:45 PM
- How to mute Twitter’s suggested tweets on your timeline Today 3:02 PM
- What you need to know about Apple’s new streaming service Today 2:32 PM
- Text-message fanfiction is taking over Instagram Today 1:54 PM
- Your Asus computer might have a secret backdoor Today 1:06 PM
- Trump is already fundraising off the Mueller report—even though no one’s seen it Today 1:01 PM
- Michael Avenatti charged with trying to extort $20 million from Nike Today 12:51 PM
- Logan Paul says being a YouTuber is ‘wack’ Today 12:14 PM
- James Comey posts from a forest in wake of Mueller report Today 10:35 AM
- These are the only online dating sites worth your time Today 10:29 AM
- Jameela Jamil sparks conversation about women having to make the ‘boyfriend excuse’ Today 10:23 AM
- Trump-Russia conspiracy theorists think they’ve found secrets in the Mueller report Today 9:32 AM
- Report: YouTube is done competing with Netflix, Amazon Today 9:27 AM
- Netflix drama ‘Coisa Mais Linda’ explores Bossa Nova clubs and women’s rights in Brazil Today 8:08 AM
Security researcher Ryan Stevenson uncovered the security flaws, which Comcast patched after BuzzFeed News reached out about the issue. The security problem stemmed from a pair of vulnerabilities on the service provider’s online login portal. Comcast hasn’t found any evidence of foul play but is continuing to review its systems.
“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers,” spokesperson David McGuire told BuzzFeed News. “We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
The first flaw had to do with Comcast’s “in-home authentication” page. This page, which let customers pay their bills without needing to sign in, verified users by asking them to select the correct account address (partially obscured) from a list of four options. Unfortunately, it was possible for a hacker to gain access to accounts via this page by obtaining a user’s IP address, spoofing the page, and then refreshing the page multiple times. With each refresh, the incorrect address options would change, while the correct address would remain the same. A hacker could cross-reference that partial address information with data from an IP lookup site to then glean a user’s full address.
The second Comcast security flaw was found on its sign-up page used by Authorized Dealers (sales employees not located at Comcast retail centers). With a customer’s billing address, a hacker could exhaustively search the system to figure out the last four digits of the customer’s Social Security number. With no limit on the number of attempts on the Social Security prompt, a program could be used to hack this.
Comcast has since disabled its “in-home authentication” feature; customers now must type in personal information by hand to verify their account ownership. It also put a rate limit on the Authorized Dealers portal.
Both address information and Social Security information are poor means of user authentication; if accurately gleaned by a hacker, a user’s identity could be at risk.
H/T BuzzFeed News
Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.