A security researcher has discovered flaws on Comcast Xfinity’s website that exposed the personal details of tens of millions of customers.
The major ISP’s online customer portal had two inherent security flaws – now patched by Comcast – that left customer details exposed to even unsophisticated hackers, BuzzFeed reports.
The portal’s ‘in-home authentication’ page, wherein customers can pay bills without signing in with any credentials, contained a flaw wherein the portal asked to verify their account by simply choosing from one of four partial home address suggested on the page – if the device used was connected to the customer’s home network. When each page is refreshed, three addresses would change while a single address – the correct address – remained the same
In such a scenario, a hacker who obtained a customer’s IP address could spoof Comcast via an “X-forwarded-for” technique that repeatedly refreshes the login page to pinpoint the customer’s location. Son enough, the page exposed the first three letters of the correct street name and the street number, enough details for a hacker to then use IP lookup websites to zero in on the postal code, city and state of the partially revealed address. Comcast has disabled in-home authentication after being notified of the vulnerability.
The other vulnerability contained in a sign-up page on Comcast’s Authorized Dealers portal which revealed the last four digits of customers’ Social Security numbers. Here, a hacker could brute-force the login page with just the customer’s billing address to ‘guess’ the last four digits of a customer’s Social Security number. Alarmingly, the login page did not enforce any limits on the number of attempts.
Comcast spokesperson David McGuire told BuzzFeed News:
We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.
Image credit: Wikimedia.