Security researchers have identified a bug in US cable giant Comcast's website that inadvertently exposes the Wi-Fi name, password of its customers' Xfinity wireless routers in plaintext online. The flaw lies in the site intended to help customers activate their Xfinity routers for the first time by filling in their data and having Comcast returns the router credentials needed to activate the service.
Researchers Karan Saini and Ryan Stevenson, who discovered the bug and reported it to ZDNet, said the data required to activate the service is minimal. Even though the website form asks a customer to provide their full address, only their home or apartment number and customer account number is required while activating the service.
This means anyone with your account number and house/apartment number - which could be gathered from a discarded bill, from an email, or simply guessed - could plug in the information and obtain the router's SSID, password and full address in plain text. A malicious actor could then potentially log in and use it for their own nefarious activities, monitor its traffic or rename the network and change the password to lock out the subscriber.
ZDNet notes that the bug still returned the sensitive data even if the XFinity Wi-Fi was already activated. Even if a user changed the password to safeguard their network, entering the necessary details on the website still churned out a new Wi-Fi password.
Comcast has since shut down the option on its website.
"There's nothing more important than our customers' security," a Comcast spokesperson told ZDNet. "Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn't happen again."