A little-known page on Comcast's Xfinity website was exposing customers' account information to anyone -- or any app -- on a customer's network.
An anonymous security researcher dropped ZDNet an email, explaining that an API used by the internet giant could be tricked into returning customer data, including account numbers, a customer's home address (which can be used to pinpoint a person's location), account type, and any services enabled on the line, including if a home security setup is active.
The API was used as part of the Xfinity's website to help customers find stores and get account information. Because the API only returns data when it recognizes an Xfinity customer's IP address, accessing a line owner's customer data requires someone to already be on a customer's network.
But the researcher said that anyone or anything connected to a customer's Wi-Fi network -- including apps -- could obtain the same customer account information, without obtaining their permission.
Will Strafach, a mobile security expert, and Corben Leo, a security analyst, independently reproduced and verified the findings.
Comcast shut down the API after we contacted the company Friday.
"There's nothing more important than our customers' privacy and security," said a spokesperson. "As soon as we became aware of this situation, our engineers turned the feature off, which could only be accessed within a customer's home or while logged into the customer's Wi-Fi network."
"We have no reason to believe that anyone's account information was improperly taken or used," said the spokesperson, citing no evidence.
It's the second Xfinity security issue in as many months.
Last month we reported that anyone with an Xfinity customer's account number and their home or apartment number could obtain a customer's full address and Wi-Fi name and password, which could allow an attacker to use the information to access the Wi-Fi network within its range.