Third Comcast Website Flaw Exposes User Data In As Many Months

from the it's-Comcastic dept

Comcast has been dinged for a third significant website privacy vulnerability in almost as many months. Back in May, a bug in Comcast’s website used to activate the company’s Xfinity-branded routers opened the door to letting attackers trick the website into displaying the home address where the router is located, as well as the Wi-Fi name and password. Then last June, security researchers discovered that an API used by Comcast could be tricked into returning a swath of private customer data, including account numbers, a user’s account address, and numerous details about a user’s account, including what services are subscribed to.

Comcast’s now back in the news again, with BuzzFeed reporting that yet another security flaw in Comcast’s website has potentially exposed customer information. Security researcher Ryan Stevenson (who also discovered the previous two vulnerabilities) found that two new, previously-unreported vulnerabilities exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers.

One of the flaws let an attacker exploit an “in home authentication” portal set up by Comcast that let customers pay their bills without logging in. The portal asked users to verify their identity by showing them partial snippets of four potential home addresses. While this was designed to be convenient, it opened the door to a potential hacker spoofing a Comcast user’s IP address to obtain sensitive data. Once alerted, Comcast fixed the vulnerability and required that users enter their cable and broadband credentials to pay their bills.

The other flaw was potentially more damning, since it exposed the last four digits of Comcast users’ social security numbers:

“In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast?s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers? Social Security numbers. Armed with just a customer?s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer?s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.”

Comcast, for its part, states that the vulnerabilities have been patched:

“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers? security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”

Which is all well and good, but given the volume of sensitive data collected by telecom giants that also sell home phone service, wireless, security service, broadband, TV, and an ocean of other services, the number of website flaws in recent months remains troubling. Especially for a company that spent millions lobbying to kill FCC broadband privacy protections last year; protections that, among other things, required that ISPs be more transparent about what data is collected and sold, and quickly and transparently inform customers when their private data may have been improperly accessed.

Filed Under: , , , ,
Companies: comcast

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Third Comcast Website Flaw Exposes User Data In As Many Months”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Why would an isp need your ssn? This makes no sense.

They provide a service and bill monthly, probably in advance so there is no need to look at your credit rating but I imagine they do anyway – because why not? Do they also vary the rate you are charged based upon your credit rating? That seems to be what the cool kids are doing these days.

James Burkhardt (profile) says:

Re: Re:

To identify you with a ‘unique’ numer. Because of their monopoly status, you either have to give them your SSN, or go without. Similarly, Power and Water companies also require you to give up information they shouldn’t store longer than necessary, but they do.

And the government has fed into the idea that you use SSNs as a form of identification.

That Anonymous Coward (profile) says:

Well the customers can always move to another provide…. oh yeah.

Well there are laws… oh wait Experian still exists.

The cost of providing security is more than what it costs them to settle after the breach (and hey isn’t that a tax writeoff??) it will not improve.

They face no legal repercussions (THANKS ARBITRATION!), they face no competition (THANKS WELL PLACED CONTRIBUTIONS!), they won’t get better.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...