It looks like a flaw in Comcast’s website used for the activation of Xfinity routers can be exploited to harvest sensitive consumer information.
According to reports, the purpose of the site is to make it easy for customers to set up their home internet without having to wade through a customer service call. It’s a useful service except for the fact that it can apparently be tricked into displaying the home address of wherever the router happens to be. The site can also be forced to cough up a user’s Wi-Fi name and password.
Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug.
For Saini, this is the third big bug he’s caught — previously, he discovered a flaw in Uber’s two-factor authentication system and a flaw in India’s national biometric database.
To make the exploit work, a customer’s account ID and house or apartment number is needed. In an attempt to replicate the hack, the team at ZDNet got permission from two Xfinity customers to attempt an attack on their accounts.
“We were able to obtain their full address and ZIP code, which both customers confirmed,” the publication reported. “The site returned the Wi-Fi name and password — in plain text — used to connect to the network for one of the customers.”
That customer, the article noted, was using an Xfinity-supplied router. The other customer was using his own router, and the exploit did not send back his username and password.
Furthermore, the problem can’t be remedied by changing hardware: When the researchers ran the exploit again, the site returned the reset password. According to reports, there’s no way for consumers to opt out when using Xfinity hardware.
Among other annoyances associated with the breach, attackers can also use the system to change user network names and passwords, thus locking out rightful users. That, however, would be a fast way to alert the rightful owner to an intruder’s presence.
Saini said that for the breach at hand, it will be nearly impossible to enumerate account numbers.
However, the bug doesn’t seem to give attackers access to sensitive data — like the baseline setting of the router. The best a cybercriminal could hope to do is access a Wi-Fi network within range and use it to sneak on and read all unencrypted traffic from other users on the network.
“There’s nothing more important than our customers’ security,” said a Comcast spokesperson. “Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”
The announcement of the breach is ill-timed for Comcast, which is in the process of burnishing its reputation with a retail reset that will create experimental technology experiences for its customers.
The hope for the program has been to forge a stronger relationship with consumers, who in recent years have relegated the brand to the “things people love to hate” pile.
“We’re opening … next to the Apples and Sephoras and Ultas. We want to be where customers shop,” Comcast’s SVP of Retail Sales and Service Tom DeVito said.
Which is not a terrible idea, but if Comcast doesn’t keep consumer data safe, they won’t have a lot of customers left to shop with them.
Comcast has since removed the option from its website.