Xfinity website bug revealed home addresses and Wi-Fi passwords
Comcast had to shut down the site in the midst of a product launch.
This week, ZDNet reported that a Comcast website used to activate Xfinity routers was leaking personal data, including a person's home address, the name of the Wi-Fi network and password. This bug was first uncovered by two researchers, Karan Saini and Ryan Stevenson.
Saini and Stevenson found that they only needed a customer ID and house or apartment number (not the full address) in order to force the website to deliver the information. This, in spite of the fact that the form did request a full address. This information can be obtained from a discarded bill, or if an attacker only has the ID, they can guess a house/apartment number.
ZDNet was able to confirm that the bug indeed returned home addresses, as well as Wi-Fi username and password information in plain text. For one user they tested who didn't use Xfinity's router, the website returned the home address but not the username or password of the Wi-Fi network (another reason to always use your own router). If this wasn't bad enough, it's possible someone could have used this method to rename a Wi-Fi network or change the password, locking someone out of their own network.
Comcast is aware of the issue and has removed the option from its website. "There's nothing more important than our customers' security," a Comcast spokesperson told ZDNet. "Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn't happen again." Still, considering that the service just introduced its mesh routers last night, the timing of this discovery isn't great. It's good that the company acted quickly, but it doesn't change the fact that this breach of security happened in the first place.
