- Mom calls cops on son who can’t get ready for school on time Tuesday 11:19 PM
- Tinder exec fired after involvement in lawsuit alleging sexual assault Tuesday 10:48 PM
- Woman matches on Tinder with LaCroix thief—and his victim Tuesday 7:38 PM
- U.K. police will have to disclose documents about WikiLeaks journalists Tuesday 6:37 PM
- Backpack Kid sues Fortnite developer over flossing emote Tuesday 5:38 PM
- Conservatives rage at Alexandria Ocasio-Cortez’s ‘week of self-care’ Tuesday 4:02 PM
- 2 inflatable snowmen fought in front of a combo KFC/Taco Bell Tuesday 2:47 PM
- How to watch the Boca Raton Bowl online for free Tuesday 2:43 PM
- DAZN KOs YouTube, Snapchat as (temporarily) the most downloaded app Tuesday 1:57 PM
- AT&T says it’s rolling out 5G service this week Tuesday 1:03 PM
- NY state senator tells woman staffer ‘Kill yourself!’ in a tweet Tuesday 12:54 PM
- This Lil Jon-Kool-Aid Man Christmas jam is as extra as you’d expect Tuesday 12:13 PM
- YouTube stars say unfair copyright claims are making their lives hell Tuesday 12:12 PM
- UPS deletes tweet about shredding letters to North Pole after huge backlash Tuesday 11:21 AM
- Viral petition leads to revised Holland Tunnel Christmas decor Tuesday 11:10 AM
Security researcher Ryan Stevenson uncovered the security flaws, which Comcast patched after BuzzFeed News reached out about the issue. The security problem stemmed from a pair of vulnerabilities on the service provider’s online login portal. Comcast hasn’t found any evidence of foul play but is continuing to review its systems.
“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers,” spokesperson David McGuire told BuzzFeed News. “We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
The first flaw had to do with Comcast’s “in-home authentication” page. This page, which let customers pay their bills without needing to sign in, verified users by asking them to select the correct account address (partially obscured) from a list of four options. Unfortunately, it was possible for a hacker to gain access to accounts via this page by obtaining a user’s IP address, spoofing the page, and then refreshing the page multiple times. With each refresh, the incorrect address options would change, while the correct address would remain the same. A hacker could cross-reference that partial address information with data from an IP lookup site to then glean a user’s full address.
The second Comcast security flaw was found on its sign-up page used by Authorized Dealers (sales employees not located at Comcast retail centers). With a customer’s billing address, a hacker could exhaustively search the system to figure out the last four digits of the customer’s Social Security number. With no limit on the number of attempts on the Social Security prompt, a program could be used to hack this.
Comcast has since disabled its “in-home authentication” feature; customers now must type in personal information by hand to verify their account ownership. It also put a rate limit on the Authorized Dealers portal.
Both address information and Social Security information are poor means of user authentication; if accurately gleaned by a hacker, a user’s identity could be at risk.
H/T BuzzFeed News
Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.