Comcast customer portal vulnerabilities exposed sensitive data

Two serious security flaws in Comcast systems may have left home addresses and social security numbers up for grabs.
Written by Charlie Osborne, Contributing Writer

Comcast has resolved two critical vulnerabilities which had the potential to expose confidential information belonging to over 26.5 million customers.

As reported by Buzzfeed, the previously unknown bugs were discovered by security researcher Ryan Stevenson.

The vulnerabilities were found within customer software provided by Comcast Xfinity, a subsidiary of Comcast which provides cable, Internet, and telecommunications services.

Specifically, Stevenson uncovered two critical security flaws in the Comcast Xfinity customer portal.

According to the publication, the bugs allowed even cyberattackers with low levels of skill to access information belonging to customers, including partial home addresses and Social Security numbers.

See also: Comcast website bug leaks Xfinity customer data

Comcast recently reported its second quarter financial results, which also included the growth of its subscriber base to over 26.5 million; any of which could have had their information compromised due to the security flaws.

The first vulnerability could be exposed by visiting the "in-home authentication" page, a service for customers to be able to pay their bill without needing to go through the sign-in process.

CNET: Comcast confirms major Xfinity outage nationwide

Customers were asked to verify their identity through a partial home address. If an attacker spoofed the IP of the customer and repeatedly refreshed the page, eventually, they would be able to work out the partial address -- as every time the refresh took place, the one correct address would always be present.

The second security flaw was discovered in the sign-up page for Comcast's Authorized Dealers. By brute-forcing the page, armed with only a customer's billing address, attackers could uncover the digits from customer Social Security numbers.

TechRepublic: 4 ways wireless carriers will change to prepare for connected cars

Many online services will restrict sign-in attempts to prevent brute-force attacks and repeat guessing, but Comcast did not have this protection in place.

The publication contacted Comcast and disclosed the security flaws, resulting in the removal of in-home authentication without the manual input of details, as well as a guess rate being imposed on the portal.

"We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers," a Comcast spokesperson said. "We take our customers' security very seriously."

Comcast has not received any reports suggesting the bugs have been used to compromise user data.

In June, the US telecoms giant resolved an Xfinity website flaw which exposed customers' account information to anyone -- or any app -- on a customer's network.

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards