Skip to content

August 9, 2018

Xfinity August 2018 security vulnerability: Everything you need to know

by John_A

Two different vulnerabilities exposed social security numbers and addresses.

xfinity-logo-red.jpg?itok=014_zqPd

Comcast’s Xfinity internet/TV/home phone service is one of the most popular across the United States, and according to a report from BuzzFeed News, two individual security vulnerabilities left the social security numbers and home addresses of all 26.5 million subscribers exposed and accessible to even novice hackers.

Comcast says that there’s no reason to believe any information was actually stolen, but even so, here’s what you should know about what’s going on.

What happened?

The first of the two vulnerabilities allowed attackers to obtain customers’ full addresses using Comcast’s in-home authentication system.

comcast-in-home-login-page.jpeg?itok=67H

When connected to your home Xfinity network, you could log in to pay your bill by simply selecting the correct address from a list of five (see the picture above).

As BuzzFeed News notes in its article:

If a hacker obtained a customer’s IP address and spoofed Comcast using an “X-forwarded-for” technique, they could repeatedly refresh this login page to reveal the customer’s location. That’s because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same.

The second vulnerability has the potential to be even more damning as it exposed the last four digits of social security numbers,

On the log-in page for Comcast Authorized Dealers (Comcast employees that are selling the service at other retailers), the “Exisitng Customer Address” page asks for a user’s address, last four digits of their SSN, account pin, and drivers license number.

The last four social security number digits are shown on this page, and by just having the billing address of a customer, an attacker could use a brute-force attack to repeatedly enter four-number combos until they got the right match. Per BuzzFeed News:

Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.

What you can do to protect yourself

The in-home authentication system has since been disabled after Comcast was informed of the vulnerability, and for the Authorized Dealer log-in, Comcast says it’s placed “a strict rate limit on the portal” to prevent it from being abused.

Although Comcast is still conducting an investigation into the matter, the company says it doesn’t believe any information was wrongfully used.

Even so, it’s never a bad idea to update your password or start using two-factor authentication for all your online accounts when something like this pops up. In these situations, you can never be too safe.

Best Password Managers For Android

Advertisements
Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: