Researchers disclosed that a bug in the Comcast website for Xfinity activation revealed a customer’s full address, Wi-Fi name, and password simply by entering the customer ID and a part of the subscription address. Further, they also found that Xfinity-provided routers were more prone to leaks as the results page also updated changed network names and passwords almost immediately.
Customers use the website to activate their Xfinity routers and set up their cable TV and internet service. Karan Saini — credited for discovering the Uber two-factor authentication vulnerability — and Ryan Stevenson reported that a threat actor only needed an account ID and a part of the address such as an apartment or street number to get the sensitive information. A threat actor can easily obtain these details from discarded bills or email, or even by guessing a random unit number.
The researchers tried testing the vulnerability with their contacts’ consent and found entering the details of customers who used their own routers did not return the Wi-Fi name and password, but revealed full addresses and zip codes. Subscribers who used the routers included in the service bundles yielded all the data, even if they activated the router before the query and subsequently changed the credentials. With customers using Xfinity hardware, it is also possible to rename the network and change the password on the website, temporarily locking legitimate users out. An attacker within range of the unencrypted traffic would be able to read the information exchange from other users or perform man-in-the-middle attacks.
Comcast has removed the feature from the website after the researchers disclosed the bug.
Users can protect home networks from attacks by securing your system from the gateway to the endpoint. Here are a few steps you can take to mitigate threats:
Change your default Wi-Fi name and passwords, especially for bundled routers provided by service providers. Use complicated passwords to make them less susceptible to unauthorized access.
Be mindful of how you discard documents with sensitive information. Ensure proper disposal of documents containing identifiable information, such as bills and customer notifications.
Trend Micro™ HouseCall™ solution for home networks allows you to scan your network and all your connected devices to identify potential risks and provides suggestions on how you can improve your home network security to block and eliminate these threats. With the increasing number of smart and connected devices, risks and vulnerabilities exploited by attackers can be thwarted from the gateway to the endpoint with Trend Micro™ Premium Service plans, providing 24/7 assistance, fast diagnosis and remote home network support, security health checks, and virus and spyware removal.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).