Security researchers Karan Saini and Ryan Stevenson reported a bug to ZDNet in which a Comcast website for customers to activate their Xfinity routers was found to be leaking sensitive customer information in plain text. If an attacker had the customer’s account number and house or apartment number, they could get the user’s name, full address, and current Wi-Fi network SSID and password, so long as the user was running the Xfinity router given to them by Comcast. This even applied if users changed the SSID and password later on. Upon learning of the bug, Comcast pulled the website, and is currently investigating the bug and ways to prevent similar security breaches in the future.
Executing the bug is very simple in practice, and what it boils down to is two things; first, the login process for new customers does not ask for enough information, and second, this link should not work for customers who have already activated their router and service. Thankfully, any users whose information was compromised by this bug are not in danger from remote hackers, and there’s no way to gain full account access. In order to use this information, an attacker would have to go to the user’s home and log onto the network. If somebody was motivated to do so, however, such as a local scam artist or a nosy neighbor, they would be able to see unencrypted web traffic going through all devices in the house, and possibly use that information for nefarious purposes or find another way to launch a more sophisticated attack.
This hack was extremely simple, and did not have the scale or punch of many recent data breaches. Nonetheless, as is standard procedure these days, Comcast’s first reaction was to block access to the compromised service however possible in order to prevent any further exploitation. This one was also caught before it could do any significant damage to a large number of customers, which is not normally the case for breaches when it comes to large corporations; the infamous Yahoo data breaches that compromised the company’s deal with Verizon, for example, happened years before being disclosed in some cases.
