Comcast Security Flaws Exposed Customers

Comcast Security Flaws Exposed Customers' Data

The company quickly resolved the problem in its Xfinity customer software.

  • By Sydny Shepard
  • Aug 10, 2018

Security flaws in Comcast Xfinity customer software reportedly exposed customers' partial home addresses and social security numbers.

Security researcher Ryan Stevenson found that two vulnerabilities in the internet service provider's online portal for its more than 26.5 million customers left data open to hackers. Comcast patched the vulnerabilities after Buzzfeed News reported the findings.

"We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers," a company spokesperson said.

One flaw was found on Xfinity's in-home authentication page, which allowed customers to pay bills without signing in after proving their identity using a partial home address. Hackers could spoof a customer's IP address and refresh the page, allowing them to figure out the partial address as that one would stay through each refresh.

The other vulnerability was in the Comcast Authorized Dealers sign-up page. If a hacker that had a customer's billing address brute-forced it, by trying random four-digit combinations until they happened on the right one, they could get digits of the customer's social security numbers.

The brute-force method was possible because Comcast didn't limit the number of sign-in attempts, but has added a strict rate limit.

Comcast has not gotten any reports to suggest that the flaws were used to compromise the data of any users.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

    Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams. Read Now

  • Milestone Announces Merger With Arcules

    Global video technology company Milestone Systems is pleased to announce that effective July 1, 2024, it will merge with the cloud-based video surveillance solutions provider, Arcules. Read Now

  • Cloud Resources Have Become Biggest Targets for Cyberattacks According to New Research

    Thales recently announced the release of the 2024 Thales Cloud Security Study, its annual assessment on the latest cloud security threats, trends and emerging risks based on a survey of nearly 3000 IT and security professionals across 18 countries in 37 industries. As the use of the cloud continues to be strategically vital to many organizations, cloud resources have become the biggest targets for cyber-attacks, with SaaS applications (31%), Cloud Storage (30%) and Cloud Management Infrastructure (26%) cited as the leading categories of attack. As a result, protecting cloud environments has risen as the top security priority ahead of all other security disciplines. Read Now

Most   Popular

Featured Cybersecurity

Webinars

Whitepapers

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3