Comcast Security Flaw Exposes Partial Addresses, Social Security Numbers of 26 Million Users (buzzfeednews.com)66
olsmeister writes:A
security flaw in the Comcast Xfinity online portal exposed
social security numbers and partial home addresses of more than
26.5 million subscribers, according to security researcher Ryan
Stevenson. Comcast says the flaws have already been patched
and that it currently has no reason to believe that the flaws were
ever exploited.BuzzFeed reports of the two vulnerabilities:One
of the flaws could be exploited by going to an "in-home
authentication" page where customers can pay their bills without
signing in. The portal asked customers to verify their account by
choosing from one of four partial home addresses it suggested, if
the device was (or seemed like it was) connected to the customer's
home network. If a hacker obtained a customer's IP address and
spoofed Comcast using an "X-forwarded-for"
technique, they could repeatedly refresh this login page to
reveal the customer's location. That's because each time the page
refreshed, three addresses would change, while one address, the
correct address, remained the same. Eventually, the page would show
the first digit of the street number and first three letters of the
correct street name, while asterisks hid the remaining characters. A
hacker could then use IP lookup websites to determine the city,
state, and postal code of the partial address.
In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast's Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers' Social Security numbers. Armed with just a customer's billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer's Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.After learning of these vulnerabilities, Comcast disabled in-home authentication and put a strict rate limit on the portal. Here's what a Comcast spokesperson had to say about the matter: "We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."
In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast's Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers' Social Security numbers. Armed with just a customer's billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer's Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.After learning of these vulnerabilities, Comcast disabled in-home authentication and put a strict rate limit on the portal. Here's what a Comcast spokesperson had to say about the matter: "We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."