- California aims to strengthen data breach notification law Thursday 5:37 PM
- Feds say college student operated drug business through gaming app Thursday 4:36 PM
- Trump is again using old videos to claim his border wall is ‘under construction Thursday 4:05 PM
- Laura Loomer led a second protest at Twitter yesterday Thursday 3:37 PM
- The eyes have it in these ‘Alita: Battle Angel’ memes Thursday 2:13 PM
- Facebook let advertisers target users interested in infamous Nazis Thursday 1:58 PM
- Dem senator promises to put net neutrality on the ‘political hot seat’ in coming months Thursday 1:28 PM
- Someone figured out that Toothless from ‘How to Train Your Dragon’ looks just like Bulbasaur Thursday 12:44 PM
- Disturbing Snapchat video shows 17-year-old throwing dog on trampoline Thursday 12:16 PM
- How to watch the new Bon Appetit channel for free Thursday 12:03 PM
- Eminem disses Netflix for canceling ‘The Punisher’ Thursday 11:50 AM
- Florida prisons sued for depriving inmates of music they paid for Thursday 11:36 AM
- Chris Hemsworth will become Hulk Hogan for Netflix biopic Thursday 11:29 AM
- Fortnite just introduced a K-Pop skin, and here’s how to unlock it Thursday 11:06 AM
- The YouTuber who exposed the site’s ‘softcore pedophile ring’ is under attack Thursday 10:39 AM
Comcast hack reveals some Spectrum customers were open to security vulnerability
Evgeny Pavlov/Flickr (CC-BY-SA)
Following the discovery and subsequent fixing of a security flaw with Comcast‘s login portal earlier this month, it appears that Spectrum customers were also vulnerable to hacking through their internet service provider.
Security researchers Phobia and Nicholas “Convict” Ceraolo uncovered the issue, which allowed anyone to hack into Spectrum customers’ accounts without a password, BuzzFeed News reports. A customer’s IP address and a little social engineering could give hackers access to a user’s email, billing address, or phone number. (That is, with a user’s IP address, a hacker could contact customer service and glean other information about a user.) With that information, a hacker could gain additional information, such as log-in details or financial data, through an accurate-looking phishing email.
Charter acquired Time Warner in a merger in 2016, and their customers now fall under the Spectrum brand. However, customers still use the My TWC app, and a subset of pre-merger customers who lacked an access ID were vulnerable to having their MAC address stolen. The page where users could create an ID was the center of this security issue. There, a hacker could swap their IP address with the customer’s and proceed through the account verification and profile creation process, even if some information (such as the user zip code) was incorrect. Only the phone number needed to be accurate, and trial and error could eventually find the correct phone number if it wasn’t previously known.
Luckily, vulnerability doesn’t appear to have been exploited in the wild, according to Spectrum’s parent company Charter Communications. Charter Communications addressed the issue when the researchers brought it to their attention.
“We investigated and quickly implemented a fix to the vulnerability that was brought to our attention,” Charter Communications spokesperson Francois Claude told Buzzfeed News. “We continue to investigate, but at this time have no reason to believe this vulnerability was ever used beyond the security researchers who reported it to BuzzFeed.”
H/T BuzzFeed News
Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.