Comcast Security Flaws Exposed Customers

Comcast Security Flaws Exposed Customers' Data

The company quickly resolved the problem in its Xfinity customer software.

Security flaws in Comcast Xfinity customer software reportedly exposed customers' partial home addresses and social security numbers.

Security researcher Ryan Stevenson found that two vulnerabilities in the internet service provider's online portal for its more than 26.5 million customers left data open to hackers. Comcast patched the vulnerabilities after Buzzfeed News reported the findings.

"We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers," a company spokesperson said.

One flaw was found on Xfinity's in-home authentication page, which allowed customers to pay bills without signing in after proving their identity using a partial home address. Hackers could spoof a customer's IP address and refresh the page, allowing them to figure out the partial address as that one would stay through each refresh.

The other vulnerability was in the Comcast Authorized Dealers sign-up page. If a hacker that had a customer's billing address brute-forced it, by trying random four-digit combinations until they happened on the right one, they could get digits of the customer's social security numbers.

The brute-force method was possible because Comcast didn't limit the number of sign-in attempts, but has added a strict rate limit.

Comcast has not gotten any reports to suggest that the flaws were used to compromise the data of any users.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

  • Remembering 9/11 Remembering 9/11

    In this episode, Security Today Editor-in-Chief Ralph C. Jensen Talks with Steve Karoly about security and transportation issues, specifically airport, airline and passenger security. It is the 20th anniversary of the 9/11 terror attacks in New York, the Pentagon and Shanksville, PA. Much has changed concerning security efforts about airport transportation security. The conversation talks about the role that technology plays in protecting the flying public and steps taken to ensure there hasn’t been a successful terrorist attack on a U.S. airliner since 9/11. Checkpoint and screening are evolving at a rapid pace, and the conversation centers on new measures and technologies that are being integrated into checkpoints.

Digital Edition

  • Security Today Magazine - July August 2021

    July August 2021

    Featuring:

    • Tee Up the Security
    • Listen Clearly
    • Turning to the Cloud
    • COVID-19 The Final Push
    • Redefining Security

    View This Issue

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • Spaces4Learning
  • Campus Security & Life Safety