Go to listing page

Comcast flaw exposed personal and sensitive information of 26.5 million customers

Comcast flaw exposed personal and sensitive information of 26.5 million customers
  • The authentication feature was designed to enable users access their accounts without having to reset their passwords.
  • Comcast has already patched the vulnerabilities.

Two vulnerabilities discovered in Comcast Xfinity’s in-house authentication system have exposed the partial home addresses and partial Social Security numbers of 26.5 million users.

The authentication feature was designed to enable users access their accounts without having to reset their passwords. In the event that a user forgot his/her password, the feature allowed users to access the Comcast Xfinity system by choosing the correct home address from a displayed list of four partial addresses.

The unknown flaws were discovered by security researcher Ryan Stevenson, Buzzfeed reported.

The offending vulnerabilities

The first vulnerability was that Comcast stored the correct address of a user by discovering the customer’s IP addresses. If an attacker spoofed the IP address of the customer and repeatedly refreshed the page, they would be able to obtain the user’s correct partial address.

The second vulnerability was discovered in the sign-up page for Comcast’s Authorized dealers. By leveraging brute-force attack techniques and a customer’s billing address, the attacker could find out the Social Security number of customers.

Flaws patched

Comcast said it has already patched the vulnerabilities.

“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report” David McGuire,a spokesperson from Comcast, told to Buzzfeed.

The internet service provider claims that there is no indication of the flaws having been used to compromise user data.

Cyware Publisher

Publisher

Cyware