Comcast Xfinity customers are the latest to be affected by lax online security. According to a report from BuzzFeed News, more than 26.5 million customers had their partial home addresses and social security numbers exposed…
Sylvania HomeKit Light Strip
Security researcher Ryan Stevenson first uncovered the security flaws. These vulnerabilities were in Comcast’s online customer portal and made it “easy for even an unsophisticated hacker to access this sensitive information.”
BuzzFeed News informed Comcast of the security holes, and the internet provider was quickly able to patch the flaws. In a statement addressing the data breach, a Comcast spokesperson explained that it blocked the security vulnerabilities within “hours,” while also reaffirming the company’s commitment to security:
Spokesperson David McGuire told BuzzFeed News, “We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
One of the flaws related to an “in-home authentication page” where a user is able to pay their bills without signing in. The portal allowed customers to verify their account information based on partial home addresses suggested by the Comcast site, if the device was or appeared to be connected to the home network:
Eventually, the page would show the first digit of the street number and first three letters of the correct street name, while asterisks hid the remaining characters. A hacker could then use IP lookup websites to determine the city, state, and postal code of the partial address.
The second vulnerability was discovered via a sign-up page for Comcast Authorized Dealers. By using a customer’s billing address, a hacker could “brute force the last four digits of a customer’s social security number.” Eventually, because the page did not limit how many attempts, hackers would reveal the social security number:
Armed with just a customer’s billing address, a hacker could brute force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s social security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct social security number is inputted into the form.
Comcast says it is still investigating the vulnerabilities, but has yet to find any foul play thus far.