Third Comcast Website Flaw Exposes User Data In As Many Months

from the it's-Comcastic dept

Comcast has been dinged for a third significant website privacy vulnerability in almost as many months. Back in May, a bug in Comcast's website used to activate the company's Xfinity-branded routers opened the door to letting attackers trick the website into displaying the home address where the router is located, as well as the Wi-Fi name and password. Then last June, security researchers discovered that an API used by Comcast could be tricked into returning a swath of private customer data, including account numbers, a user's account address, and numerous details about a user's account, including what services are subscribed to.

Comcast's now back in the news again, with BuzzFeed reporting that yet another security flaw in Comcast's website has potentially exposed customer information. Security researcher Ryan Stevenson (who also discovered the previous two vulnerabilities) found that two new, previously-unreported vulnerabilities exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers.

One of the flaws let an attacker exploit an "in home authentication" portal set up by Comcast that let customers pay their bills without logging in. The portal asked users to verify their identity by showing them partial snippets of four potential home addresses. While this was designed to be convenient, it opened the door to a potential hacker spoofing a Comcast user's IP address to obtain sensitive data. Once alerted, Comcast fixed the vulnerability and required that users enter their cable and broadband credentials to pay their bills.

The other flaw was potentially more damning, since it exposed the last four digits of Comcast users' social security numbers:

"In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form."

Comcast, for its part, states that the vulnerabilities have been patched:

"We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."

Which is all well and good, but given the volume of sensitive data collected by telecom giants that also sell home phone service, wireless, security service, broadband, TV, and an ocean of other services, the number of website flaws in recent months remains troubling. Especially for a company that spent millions lobbying to kill FCC broadband privacy protections last year; protections that, among other things, required that ISPs be more transparent about what data is collected and sold, and quickly and transparently inform customers when their private data may have been improperly accessed.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    NobleThought (profile), 10 Aug 2018 @ 7:46am

    Fishy Logic

    I would really like to see the people that propose stupid things like this get slapped. Not slapped with a lawsuit. Just with a fish. It would amuse me and hopefully teach them a smelly lesson.

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 10 Aug 2018 @ 9:58am

    It's not a bug

    It's just Comcast trying to be publicly transparent. With your personal information.

    reply to this | link to this | view in chronology ]

  • icon
    AR Libertarian (profile), 10 Aug 2018 @ 10:26am

    Comcast and SSNs

    After all the data breaches, I might as well just put my family's SSNs on my car windows. Everyone has them anyway.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Aug 2018 @ 11:24am

    Why would an isp need your ssn? This makes no sense.

    They provide a service and bill monthly, probably in advance so there is no need to look at your credit rating but I imagine they do anyway - because why not? Do they also vary the rate you are charged based upon your credit rating? That seems to be what the cool kids are doing these days.

    reply to this | link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 10 Aug 2018 @ 12:21pm

      Re:

      To identify you with a 'unique' numer. Because of their monopoly status, you either have to give them your SSN, or go without. Similarly, Power and Water companies also require you to give up information they shouldn't store longer than necessary, but they do.

      And the government has fed into the idea that you use SSNs as a form of identification.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Aug 2018 @ 2:39pm

        Re: Re:

        When it created the SS admin the government specifically stipulated that the SSN would not be used for identification.

        They lie.

        reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 10 Aug 2018 @ 12:32pm

    Aaaan it will keep happening as long as no meaningful punishments are delivered.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 10 Aug 2018 @ 1:05pm

    Well the customers can always move to another provide.... oh yeah.

    Well there are laws... oh wait Experian still exists.

    The cost of providing security is more than what it costs them to settle after the breach (and hey isn't that a tax writeoff??) it will not improve.

    They face no legal repercussions (THANKS ARBITRATION!), they face no competition (THANKS WELL PLACED CONTRIBUTIONS!), they won't get better.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.