Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Communications Network The Internet Technology

Comcast Security Flaw Exposes Partial Addresses, Social Security Numbers of 26 Million Users (buzzfeednews.com) 67

olsmeister writes: A security flaw in the Comcast Xfinity online portal exposed social security numbers and partial home addresses of more than 26.5 million subscribers, according to security researcher Ryan Stevenson. Comcast says the flaws have already been patched and that it currently has no reason to believe that the flaws were ever exploited. BuzzFeed reports of the two vulnerabilities: One of the flaws could be exploited by going to an "in-home authentication" page where customers can pay their bills without signing in. The portal asked customers to verify their account by choosing from one of four partial home addresses it suggested, if the device was (or seemed like it was) connected to the customer's home network. If a hacker obtained a customer's IP address and spoofed Comcast using an "X-forwarded-for" technique, they could repeatedly refresh this login page to reveal the customer's location. That's because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same. Eventually, the page would show the first digit of the street number and first three letters of the correct street name, while asterisks hid the remaining characters. A hacker could then use IP lookup websites to determine the city, state, and postal code of the partial address.

In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast's Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers' Social Security numbers. Armed with just a customer's billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer's Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.
After learning of these vulnerabilities, Comcast disabled in-home authentication and put a strict rate limit on the portal. Here's what a Comcast spokesperson had to say about the matter: "We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."
This discussion has been archived. No new comments can be posted.

Comcast Security Flaw Exposes Partial Addresses, Social Security Numbers of 26 Million Users

Comments Filter:
  • A local ISP near me puts the device's MAC address into the reverse DNS lookup of every IP address assigned on their network. Just increase/decrease the MAC address by 1 or 2, and you'll usually get the routers WiFi MAC instead of WAN MAC. With the WiFi MAC in hand, you can use publicly available free online tools to geolocate the access point down to about a 2-4 house accuracy. In other words, you can get near-exact physical location of any user on this ISP from just their IP address. ... It has been like t

    • This leak looks like lawsuit material to me.

      What's with these companies, can't keep basic data secure?

      Were they born in the '40s?
      • Re:Full Location (Score:5, Interesting)

        by Epsillon ( 608775 ) on Thursday August 09, 2018 @02:39AM (#57095298) Journal
        Why do they need an SSN in the first place? If I'm completely honest, we have to bear some of the responsibility for these breaches of security by idly allowing any and all personal information to be collected by any old munchkin. An ISP does not need your SSN, date of birth or anything else beyond your address and payment details.

        For web forms that will not enable the Next button without information they don't need, I usually fake it. That fake data goes into my password manager as a third level of security that only I know.
        • by SeaFox ( 739806 )

          Why do they need an SSN in the first place? If I'm completely honest, we have to bear some of the responsibility for these breaches of security by idly allowing any and all personal information to be collected by any old munchkin. An ISP does not need your SSN, date of birth or anything else beyond your address and payment details.

          They need your SSN for checking your credit, which is used to determine if you will be required to pay a deposit on your service. Remember that Comcast isn't just an Internet provider, they also sell phone and pay TV service. Service people can run up a pretty penny in post-paid charges on.

          If you're about to say "they can't force you to give them your SSN". You're right. But you also can't force them to give you service. They could also agree to give you service only if you pay a huge deposit (which will be

          • Re: (Score:2, Interesting)

            by Anonymous Coward

            NOPE! You just have to pay a deposit potentially or ask for a manger to override. No reason to give it. https://forums.xfinity.com/t5/Customer-Service/You-should-not-need-my-social-security-to-set-up-service/td-p/2587380

          • It sounds like the US credit checking system is broken then - I don't need to supply the British equivalent (NI Number) when applying for credit, nor do I need to apply for credit to sign up for cable or satellite TV...

            Rather than simply accepting the broken system, you might want to think about how it should be changed.

          • Comment removed based on user account deletion
        • Re:Full Location (Score:5, Interesting)

          by ShanghaiBill ( 739463 ) on Thursday August 09, 2018 @02:58AM (#57095356)

          Why do they need an SSN in the first place?

          Better question: Why do we pretend that SSNs are "secret"?

          They are already semi-public, and generally used as a "citizenship number". There have been so many breaches that nearly every SSN has be leaked multiple times. Why not just go all the way, and make SSNs fully public? Then people could just write it on an envelope, and the USPS would deliver the letter to your current address.

          If companies want something for authentication, they would have to use something sensible instead.

          • Re: (Score:2, Interesting)

            by Anonymous Coward

            Then people could just write it on an envelope, and the USPS would deliver the letter to your current address.

            Back in the early 90s when I was in the Navy, we did use our SSN in our mailing address, at least in boot camp.

            Like you say, it isn't really a secret and it wasn't until a few years later that you heard everyone saying not to tell anyone your number and then we started pretending it was a secret.

            • This is confusing the issue. I'm not trying to imply that the SSN is a secret. I'm implying that it's UNIQUE. I, personally, don't want everything I purchase, every service I sign up for, every bill I pay (yes, I know, card issuers can track this which is why i prefer cash) or everywhere I go to be uniquely traceable on some database with an easily verifiable primary key.

              It's harder to avoid than it first appears. Every little unique fact about you is one more bitmap to pry into your life and you can only
              • I'm not trying to imply that the SSN is a secret. I'm implying that it's UNIQUE.

                Social Security Numbers are NOT unique [nbcnews.com] per person. not even close. People have more than one (often for legitimate reasons) and many numbers are used for more than one person (usually for identity theft). We're talking tens of millions of people here. We tend to think of them as unique identifiers in the sense of a primary key but in reality they definitely are not reliable in that capacity and never have been.

                It's far better if you never accept the linkage in the first place because, once you've given a piece of information away, you've completely lost control of it.

                Quite so.

                • We're talking tens of millions of people here. We tend to think of them as unique identifiers in the sense of a primary key but in reality they definitely are not reliable in that capacity and never have been.

                  They are reliable enough as a unique identifier for the purposes of attempting identify theft, which was the parent poster's point. Unique enough as a primary key in some national database, okay perhaps not. But the identity thief does not require that level of accuracy to be successful -- and the IRS has no problem treating them as a unique identifier.

          • Better question: Why do we pretend that SSNs are "secret"?

            Lot's of data is technically public that you really don't want to be made more available than necessary. Identity theft is a serious problem and given how casually SSN's are handled and how they are used for authentication (even when they shouldn't be) giving a lookup table for them is a terrible idea currently.

            They are already semi-public, and generally used as a "citizenship number".

            That doesn't make it a good idea or desirable. It's certainly at odds with a lot of privacy considerations.

            Why not just go all the way, and make SSNs fully public?

            Because you have to change a lot of other infrastructure and business practices to make t

        • If I understand the SSN correctly, in Australia the equivalent is the Tax File Number (TFN).

          Only an employer, once you're employed, a bank (to deduct tax from any interest you may earn from having money in the bank) and the Tax office are allowed to ask for it. Or store it.

          Anyone else asking for it is committing an offence.

          TFNs are secret.

  • If you're going to put up a web-facing app, you should give that app access only to the data it needs. Why is a subscriber's SSN required for the app in question here?
    • For verification that the user is who they say they are and they're authorized to make changes to the account. This is their sales portal, so they'll verify the user's information first.
      • ...For verification that the user is who they say they are and they're authorized to make changes to the account. ...

        Why does the app have access to the SSN? Why not, e.g., hash what the customer enters and compare the hashes? Why not, e.g., send the entered SSN off to a different server that does not have internet access and is more secure?

        • Because it's not your "social security password" so why would you salt and hash like a password? That's the thinking (or lack thereof) behind it I assume. If we called it a "social security password" maybe braindead developers would recognize it's sensitive and store a randomly-salted hash. But hell, most of them don't even do that and passwords are exposed. It's all this outsourced development in node js and ruby on snails which prevents actual intelligent people from architecting it properly. As long as
          • ...Because it's not your "social security password" so why would you salt and hash like a password? ...

            I never said it was a password. .

            ...That's the thinking (or lack thereof) behind it I assume....,

            You shouldn't dis someone when you make incorrect assumptions.

            • by suutar ( 1860506 )

              He seemed to me to be dissing stupid developers who assume that if the field isn't named "password" then it doesn't matter if it's exposed.

    • by dknj ( 441802 )

      Why is a subscriber's SSN required, period? Okay I can understand to protect against bad apples. But why do you need my SSN for the future when my payment history is all the credit history you need?

      Because they are selling your data and your SSN is a great choice for a primary key. This is the user's fault. If you think a $250 deposit costs more than your security is worth, then by all means don't stop giving out your SSN

      -dk

  • by sjbe ( 173966 ) on Thursday August 09, 2018 @06:33AM (#57095770)

    A security flaw in the Comcast Xfinity online portal exposed social security numbers and partial home addresses of more than 26.5 million subscribers

    So my beef with this isn't that a security flaw happened. I expect that to happen from time to time even though I think the consequences for it aren't nearly severe enough currently. The problem I have is that Comcast is storing Social Security Numbers in the first place. They have absolutely zero need to store this information. Yes I'm aware that lots of companies do it and for the most part they don't need it either. But let's ignore that and say they do need/want to store my SSN. Then there should be consequences with serious teeth for security failures regarding sensitive information about me. We have these leaks in part because there are effectively zero consequences for mismanagement of sensitive customer data. The companies simply don't have to care very much. Failure to keep this data secure should result in heavy fines and odious government oversight. It should be ugly enough to make them think seriously about what data they really ought to be storing and how they go about it and what best practices to use. Companies that act responsibly should be free to go about their business but those that can't or won't handle sensitive data responsibly should be very afraid.

  • comcast open wifi network the backs on your link is also there as well.

  • we have no reason to believe these vulnerabilities were ever used against Comcast customers
    That's not a no, I'd like a actual no actual customers were harmed with these exploits. Is that to much to ask?
  • I have for the 3 years gotten emails sent to my yahoo email address, from comcast that were sent to a another comcast email. my yahoo email is no where in comcast's systems and the comcast customer I'm geeting's emails lives on the other side of the state. we don't know each other. Comcast also has no idea why i'm getting copies of this persons emails and I've talked to their security department twice about this and still no fix. The last time they rebuilt his whole email on their system...I still get em
  • by fedos ( 150319 ) <<moc.liamg> <ta> <drahcuob.nella>> on Thursday August 09, 2018 @11:34AM (#57097056) Homepage
    Our social security numbers have already been leaked by half a dozen negligent organizations.
  • ...or learn something closer to the real numbers later. As I pointed out earlier [slashdot.org] these stories follow a pattern and part of that pattern is to lowball the first press release of the number of adversely affected parties. Comcast will likely join the ranks of Equifax [slashdot.org], Yahoo [slashdot.org], and Hyatt [slashdot.org].

Never test for an error condition you don't know how to handle. -- Steinbach

Working...