Comcast Website Bug Leaks Xfinity Customer Data

An anonymous reader quotes a report from ZDNet: A bug in Comcast's website used to activate Xfinity routers can return sensitive information on the company's customers. The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password. Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug. Only a customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address.

ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code -- which both customers confirmed. The site returned the Wi-Fi name and password -- in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router -- and the site didn't return the Wi-Fi network name or password.

Re:

[Narcocide]

Probably not, but it probably would at least have given their customers some sort of legal recourse, of which right now they have none.

Re: Would GDPR have prevented this?

[triffid_98]

Isn't that a trick question? Our government regulatory agency is run by prior executives and lobbyists from companies the agency theoretically protects us from

Comcastic.

[Anonymous Coward]

Comcast's email system is also responsible for provisioning the modems. In other words, if you hack it you can upload a malicious boot file to the modem.

Guilty by design.

[Narcocide]

Wow, who knew this internet thing was so complicated, am I right guys?

Is this going to be worse than the Russian breach?

[Blinkin1200]

Just wondering... I'm still getting spam related to the Russian breach.

Re:Is this going to be worse than the Russian brea

[SeaFox]

You're a Comcast customer. I cannot imagine your life being any worse than that.

Re:Is this going to be worse than the Russian brea

[grep -v '.*' *]

I'm a business user. I can call 24x7 and within 60 seconds be talking to a real English speaking tech about bits and bytes, DHCP, speeds & outages, or whatever connectivity issues I can think of and we can talk in real-time -- no scripts, "I'll research this bite thing you speak of and get back to you", or anything like that. One guy was surprised about my internal network config (he'd SSHed into the router) and we talked a few minutes about pros and cons.

The worst I've had is like a 90-second hold researching how bad an outage was (storm hit multiple points and devices) and trying to determine an overall ETA. They were close --within 2 hours -- and I suspect they were pulling a Scotty [c2.com].

Re:

[thegreatbob]

Same connection you'd be getting as residential, you're paying for priority support and, i think, no data caps. Doesn't appear to have any other benefits, unless you like a lighter wallet.

Re:

[jittles]

Same connection you'd be getting as residential, you're paying for priority support and, i think, no data caps. Doesn't appear to have any other benefits, unless you like a lighter wallet.

I believe you get multiple static IP addresses (at least one, anyway), reverse DNS, and no filtering on your inbound service ports. So you could actually use it as a mail server, for instance. Comcast home networks won’t work that way, and they won’t let you use reverse DNS so even if you bypass it with different ports it just gets sent to /dev/null by the receiving server.

Re:

[pnutjam]

Comcast has great service in many areas, it has terrible service in many others. They also don't always know which department handles a given account, in my past experience. Some of this might have improved.

Currently, I use them and get reliable internet. Their major policies are mostly OK. They don't block ports. They answer queries and transfer me if I'm too technical.
I ,however, don't use their router or their DNS. I know how to insure I'm getting what I pay for. Those who are minimally technical or not

Re:

[Anonymous Coward]

You missed the point. Comcast Business offers you SLAs among other things. If you live in an area with 'terrible service' then you should consider Comcast Business. Every time service goes out and they don't fix it within 2-4 hours, you get a free month of service. Ergo, areas with terrible service should be able to get free internet until they make their service better than terrible.

But something tells me you just want to bitch about Comcast rather than make lemonade with the lemons that life dealt you

Re:

[omnichad]

Hate your service? Pay double! That will make it twice as good.

Re:

[pnutjam]

Yeah, a business needs service now. Free service later doesn't do much good. For what it's worse, the problems I had with, "not my department" were business class service.
I've always been pretty satisfied with their consumer service. I use the X1 dvr and it's pretty awesome. Their on-demand selection is head and shoulders above AT&T's. Their internet is totally suitable, especially if you know what your doing.
My main complaint is that even if you know what your doing, they play weird games on the backen

Re:

[pnutjam]

I usually use afew different speedtest sites.
https://sourceforge.net/speedt... [sourceforge.net]
http://speedtest.xfinity.com/ [xfinity.com]
https://fast.com/en/ [fast.com]

I also monitor my routers bandwidth and compare to xfinity's graphs. I test speeds inside various VPN's if I'm suspicious about site or type throttling. I have some iperf endpoints I can use for testing more in depth.

Alot of times, it's just noticing whether a problem exists, I keep up a remote connection to my home using x2go most days, so I notice outages. When I notice pr

My old ISP

[darkain]

Don't even need a web site to look up physical locations of virtually everyone with my old ISP. They had the dumb ass bright idea to include the connect device's MAC address listed in the reverse IP address lookup of everyone on their /16 block. Add or subtract 1 or 2 from their MAC address (the WAN port on their router) to get the Wifi MAC address. Use that MAC address with online public Wifi geolocation databases. BAM. I instantly have physically mapped locations of virtually every single user of the ISP based on IP address alone. Which, again, the IP addresses are not hard to figure out, since the ISP is all contained in a single /16 block.

Another good reason

[93 Escort Wagon]

... to own your own router instead of paying Comcast’s exorbitant monthly rent.

to bad you can't with static ip on comcast or gig-

[Joe_Dragon]

to bad you can't with static ip on comcast

Re:

[b0s0z0ku]

You can probably put their PoS modem in bridge mode and stick your own router behind it.

Re:

[Zebai]

My #1 peeve with those POS modems is this bridge mode. Let me clarify things, its psuedo bridge mode. Meaning its faked the modem's firmware runs at any given time 4 wifi broadcasts only 2 of which turn off in bridge mode. 2.4 & 5ghz xfinity wifi hotspot, and a hidden network for the home security touchpad to connect to.

Re:

[omnichad]

You would hope that the xfinity hotspots are on a separate isolated network anyway, so that doesn't necessarily negate the bridge. The modem would probably be getting two additional private IPs from the uplink to do the other business on.

Re:

[thegreatbob]

Indeed, the options provided to us where I work were an SMC router with completely broken IPv6 support, and a Cisco router that may or may not have had that buggy Intel Puma 6 chipset (whatever it was, it imparted erratic latency on all traffic traversing it, had several% packet loss overall, dropped out several times per day and was otherwise a mess... but it did have decent WiFi)

comcast public hotspot that run on there router

[Joe_Dragon]

comcast public hotspot that run on there router at homes may be part of the hole.

Devil advocate

[Zebai]

To play devil's advocate here it does say you need the customer ID, aka account number for this to be possible. There are only a couple ways to get an account number even if you are trying to get your own account.

1.Steal a copy of the bill.
2. Login to the account online(meaning you already have their account password)
3. Be told the account number by a rep whom you have to have the address/ssn for anyway

So someone who has managed to breach one of these security measures and who already knows enough about th

Re:

[XxtraLarGe]

Option 4:
Phishing scam that asks for account number & address.

WIFI Name and Password?

[zifn4b]

How can that be? Does that only apply to Comcast supplied residential gateways that are both cable modem and WIFI router in one? I never use Comcast's gateways. They are terrible. For the longest time all they supported WIFI-wise was 2.4 ghz 802.11g. If you wanted to use your own router, you had to set their gateways in bridge mode which different techs had varying opinions about whether that would work well with their particular Arris hardware. I decided to go with my own router and mesh WIFI system.

Crappy XFinity routers

[tgrigsby]

Yet another reason to avoid their crappy XFinity wi-fi routing features. Mine are turned off so I can use my own router, which gives me full control and allows me to lock things down. Convincing Comcast to bridge the router was a real pain, but keeping their techs tied up for three days convinced them I wasn't going to give up, and they finally relented.