Comcast Xfinity inadvertently exposed the partial home addresses and social security numbers of more than 26.5 million customers, according to security researcher Ryan Stevenson, who discovered the security flaws. Two previously unreported vulnerabilities in the high-speed internet service provider’s online customer portal made it easy for even an unsophisticated hacker to access this sensitive information.
After the findings were reported to Comcast, the company patched the flaws. Spokesperson David McGuire told BuzzFeed News, “We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
While Comcast has not found any foul play yet, its review is ongoing.
One of the flaws could be exploited by going to an “in-home authentication” page where customers can pay their bills without signing in. The portal asked customers to verify their account by choosing from one of four partial home addresses it suggested, if the device was (or seemed like it was) connected to the customer’s home network. If a hacker obtained a customer’s IP address and spoofed Comcast using an "X-forwarded-for" technique, they could repeatedly refresh this login page to reveal the customer’s location. That’s because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same.
Eventually, the page would show the first digit of the street number and first three letters of the correct street name, while asterisks hid the remaining characters. A hacker could then use IP lookup websites to determine the city, state, and postal code of the partial address.
After learning of the vulnerability, Comcast disabled in-home authentication. Now, customers need to manually input personal information to verify their account.
This vulnerability was particularly easy to exploit — and use to target someone. It’s simple to obtain someone’s IP address (or “Internet Protocol”), a string of numbers that links your Internet activity to the Wi-Fi network you’re using. Web administrators can see the IP address of everyone who visits their website. Many forums also disclose users’ IP addresses, along with their username. A malicious actor can also send someone a link designed specifically to obtain a target’s IP address.
While an IP address alone is not sensitive information, paired with the knowledge of someone’s internet service provider, it can help a bad actor confirm their target’s specific location. And often, it’s fairly easy to figure out someone’s internet service provider, or ISP, because an area is typically limited to one or two high speed internet options, thanks to the consolidation of internet companies.
In the second vulnerability that Stevenson discovered, a sign up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ social security numbers. Armed with just a customer’s billing address, a hacker could brute force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s social security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct social security number is inputted into the form.
No comments:
Post a Comment