Latest in Gear

Image credit: RiverNorthPhotography via Getty Images

Xfinity website bug revealed home addresses and Wi-Fi passwords

Comcast had to shut down the site in the midst of a product launch.
525 Shares
Share
Tweet
Share

Sponsored Links

RiverNorthPhotography via Getty Images

This week, ZDNet reported that a Comcast website used to activate Xfinity routers was leaking personal data, including a person's home address, the name of the Wi-Fi network and password. This bug was first uncovered by two researchers, Karan Saini and Ryan Stevenson.

Saini and Stevenson found that they only needed a customer ID and house or apartment number (not the full address) in order to force the website to deliver the information. This, in spite of the fact that the form did request a full address. This information can be obtained from a discarded bill, or if an attacker only has the ID, they can guess a house/apartment number.

ZDNet was able to confirm that the bug indeed returned home addresses, as well as Wi-Fi username and password information in plain text. For one user they tested who didn't use Xfinity's router, the website returned the home address but not the username or password of the Wi-Fi network (another reason to always use your own router). If this wasn't bad enough, it's possible someone could have used this method to rename a Wi-Fi network or change the password, locking someone out of their own network.

Comcast is aware of the issue and has removed the option from its website. "There's nothing more important than our customers' security," a Comcast spokesperson told ZDNet. "Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn't happen again." Still, considering that the service just introduced its mesh routers last night, the timing of this discovery isn't great. It's good that the company acted quickly, but it doesn't change the fact that this breach of security happened in the first place.

Source: ZDNet
In this article: comcast, gear, internet, router, security, xfinity
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
525 Shares
Share
Tweet
Share

Popular on Engadget

YouTube TV, Sinclair keep Fox sports channels on as they negotiate

YouTube TV, Sinclair keep Fox sports channels on as they negotiate

View
Microsoft will remove Cortana from its Android launcher in April

Microsoft will remove Cortana from its Android launcher in April

View
NASA's Psyche asteroid mission will use a SpaceX Falcon Heavy rocket

NASA's Psyche asteroid mission will use a SpaceX Falcon Heavy rocket

View
GDC 2020 is officially canceled due to coronavirus

GDC 2020 is officially canceled due to coronavirus

View
Galaxy S20 Ultra review: Impressive but impractical

Galaxy S20 Ultra review: Impressive but impractical

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr