Comcast Leaks Xfinity Customer Data, Including User Home Address and WiFi Passwords in Plaintext

Author Photo
May 22, 2018
23Shares
Submit

Comcast apparently forgot to secure its own wireless services, as its website allowed exposure of customer’s private information, including their home addresses. The bug was discovered in Comcast’s website that was used to activate Xfinity routers by security researchers Karan Saini and Ryan Stevenson. They report that the bug returned sensitive information about the company’s customers during the activation process.

The disclosure comes at a bad time – if there’s any bad time for ISPs – as the company is reportedly in the process of launching its own line of network routers.

comcast-xfinity-2Related Comcast Announces Throttling Video Quality and Mobile Hotspots – Will Start Charging for 720p Streams

The website in question is used by customers to set up their cable service or internet. To exploit the bug, researchers said that an attacker would need at least a partial address or an account number – Xfinity number that could be easily obtained through social engineering or via bills. By taking advantage of this lack of security, threat actors could not only get the complete address of the user, but the website also returned router SSID and WiFi passwords in plaintext.

Changing WiFi password didn’t help as Comcast leaked updated passwords too

If you think changing the default password would help you, it apparently didn’t since running these partial customer details on Comcast’s website returned the new and updated WiFi passwords, as well. However, you can use your own WiFi router to avoid sharing information with Xfinity or Comcast.

Comcast has now removed this activation option from its website. “Within hours of learning of this issue, we shut it down,” a company spokesperson said.

net-neutrality-fcc-ajit-paiRelated FCC Releases Final Draft of Its Proposal to Kill Net Neutrality and Enable ISPs to Block Whatever They Want

“At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”

Source: ZDNet

Submit