Charter Spectrum Security Flaw Exposes Private Data Of Millions Of Subscribers

from the Another-day,-another-scandal dept

Last year you'll recall that the cable and broadband industry lobbied the government to kill off broadband privacy rules at the FCC. The rules were fairly basic, requiring that ISPs and cable operators clearly disclose what data is being collected and sold, but also provide working opt out tools for users who didn't want to participate. The rules also contained restrictions requiring that consumers opt in to more sensitive data collection (financial), as well as some requirements that ISPs and cable ops adhere to standard security procedures, and quickly inform consumers when their private data was exposed by a hacker.

In recent months, the cable industry has been showcasing how it's simply not very good at keeping its websites secure. Comcast, for example, has seen three privacy breaches in almost as many months, with security researcher Ryan Stevenson discovering numerous, previously-unreported vulnerabilities that potentially exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers.

Not to be outdone, now Buzzfeed has found that a vulnerability on the Charter Communications (Spectrum) website made it possible for just about anyone to take over customers’ accounts without a password. According to the report, this flaw was again discovered by Stevenson (who goes by the monicker Phobia), and involved tricking a Spectrum website that let subscribers create a Time Warner Cable (the company Charter just acquired) ID.

If a targeted customer hadn't yet registered for such an ID, a website flaw let a hacker trick the website into creating one by replacing their own IP address with the customer’s using the “X-forwarded-for” technique, a relatively trivial affair:

"The registration website tried to verify subscribers’ identities by asking for their zip codes and phone numbers. But according to the security researcher Phobia, the zip code didn’t need to be correct to proceed to the next page. Only the phone number associated with the account needed to be accurate. Additionally, Ceraolo found that hackers could use a brute-force software program in the phone number field (in other words, repeatedly try different 10-digit combinations), because the Spectrum website did not limit the number of attempts. That means it would be relatively easy for a hacker to take over someone’s account even without an accurate phone number."

Once the bogus ID was created, the hacker subsequently had access to oodles of private user account data, including billing address, email, and account number. That data could, in turn, be used as the cornerstone of social engineering and phishing efforts to glean even more customer information. Not all of Charter's total 23 million customers are impacted; only a smaller subset of the company's 14 million "legacy," pre-merger Time Warner Cable subscribers were impacted. The company also claims that it has no evidence to suggest that these flaws were actually exploited.

But we're still likely talking about millions of potential subscribers, and Charter won't specify just how many users may have had their private data exposed. And if Stevenson's recent track record is any indication, there's plenty more flaws likely waiting in the wings to be discovered.

Filed Under: breaches, broadband, flaws, privacy
Companies: charter, charter spectrum


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 27 Aug 2018 @ 6:23am

    "exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers."

    Why does Comcast need customer's SSN ?

    reply to this | link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 27 Aug 2018 @ 6:32am

      Re:

      "Why wouldn't we?" — Comcast, probably

      reply to this | link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 27 Aug 2018 @ 6:34am

      Re:

      Because the list they got from Equifax was incomplete.

      reply to this | link to this | view in chronology ]

      • icon
        timlash (profile), 27 Aug 2018 @ 7:18am

        Re: Re:

        Right? After Equifax are these breaches even stories? Everyone's PII is already available. I've accepted that and have moved on. I don't think the genie can be put back into the bottle.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Aug 2018 @ 7:51am

      Re:

      Because apparently getting cable service requires a credit check.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Aug 2018 @ 9:46am

        Re: Re:

        Why? Are they extending credit? I do not think so.
        If they are concerned about their crappy "modem" then ask for a deposit, if they are concerned about next months bill then bill in advance - oh wait they already do that.

        There is no reason for a credit check and there is no reason for them to have SSN.

        reply to this | link to this | view in chronology ]

    • icon
      Bamboo Harvester (profile), 27 Aug 2018 @ 7:57am

      Re:

      SSN's are 'required' for financial judgments against unpaid bills. No other reason.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Aug 2018 @ 9:49am

        Re: Re:

        No they are not.
        Many people are asked for payment of unpaid bills and the SSN is not used nor is it needed to accomplish that.

        Also ... I assume they ask for the SSN up front before starting service - so they are assuming you are a deadbeat to begin with. I imagine that most customers assume the same thing about the isp.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Aug 2018 @ 1:59pm

        Re: Re:

        They could cut service when an account runs out of money, without allowing people to go into debt. That leaves minimal chargeback/NSF risks, which they could require a deposit for. (Of course, these companies always charge ridiculous rates on debt, 20% or higher per annum, and may be counting on that as a source of profit.)

        reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 27 Aug 2018 @ 6:41am

    The costs of the PR to say sorry < any damages to the company, security will stay shitty.

    I sure am glad they want to run like 10 more investigations of Hillary & emails... pity they can't find oh 10 minutes to craft a law that makes it more expensive to not have real secutiy, so that real security looks a lot nicer.

    Nothing will ever be 100%, but the more we learn about how the breeches happen... the more we should understand they don't pay for security.

    Every American's SS number is out there in the wild & most likely dossiers that fill in all the blanks... perhaps it is time to consider we stop using SS #'s. The system is screwed. We need a new number system where the fscking number isn't something every little shitty company can demand to provide service. We let them turn SS#'s into the mystical secret sauce that unlocks things... and they keep leaking them, giving out credit to people who know the number & moms maiden name, then trying to sue the owner of the number who knew nothing about the credit...

    Of course they only way any of this will ever change is if Congress figures out their numbers are out in the wild, millions of bills have been racked up in their names, but no ones trying to collect from them like they do the little people.

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 27 Aug 2018 @ 8:43am

      Re:

      "pity they can't find oh 10 minutes to craft a law that makes it more expensive to not have real secutiy"

      While I like the sentiment, I don't think our lawmakers should have anything to do with writing laws mandating "good" security. There is no way it would not turn into a mess of companies making actual mistakes, sophisticated hackers blackmailing companies with security holes, and broadband providers still not doing anything better.

      It is (like a lot of other things) just a symptom of a lack of competition. If we all had the option of changing broadband providers if my provider did a crappy job of securing it's website, their websites would get very secure very quickly.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Aug 2018 @ 9:27am

    You guys act like this matters.

    Anthem Blue Cross already dropped all of this on the public domain when they forgot to encrypt their databases.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Aug 2018 @ 11:14am

    Thanks Pai for killing the privacy law - you worthless piece of shit.

    reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 27 Aug 2018 @ 12:25pm

      Re:

      (1) The Wheeler-era FCC's privacy regulation was overturned by Congress, not Pai. Pai overturned Title II net neutrality regulations, which are a different thing.

      (2) While repealing the privacy regulation was bad, it's not really relevant to this story. That concerned ISPs' ability to disclose browsing habits to third parties; it had nothing to do with account information being exposed in data breaches.

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 27 Aug 2018 @ 12:54pm

    STILL WANT TO KNOW..

    Whose software are they using???

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.