Comcast Xfinity customers are the last to suffer from lax online security. According to a report by BuzzFeed News, more than 26.5 million customers have shown their home address and citizen service numbers …
Security researcher Ryan Stevenson discovered security breaches for the first time. These vulnerabilities were in the Comcast online customer portal and made it even easier for an uninformed hacker to access this sensitive information.
BuzzFeed News informed Comcast about security problems and the ISP was able to quickly restore the vulnerabilities. In a statement about the data breach, a Comcast spokesman said that he had blocked security breaches in "hours" while reaffirming the company's commitment to security:
Spokesman David McGuire told BuzzFeed News: "We investigated these problems quickly and within a few hours we blocked both vulnerabilities, eliminating the ability to perform the actions described by these researchers, taking the safety of our customers very seriously and have no reason to believe that these vulnerabilities have already been used against Comcast customers outside of the research described in this report. "
One of the shortcomings in connection with a home authentication page that allows a user to pay his bills without logging in. Through the portal, customers could verify their account data based on partial addresses suggested by the Comcast site. was or seemed to be connected to the home network:
Finally, the page shows the first number of the street number and the first three letters of the correct street name, while the asterisks hide the remaining characters. A hacker can then use IP search websites to determine the city, state and postcode of the partial address.
The second vulnerability was discovered through a login page for authorized resellers from Comcast. With the help of a customer's billing address, a hacker can brutally force the last four digits of a customer's citizen service number & # 39 ;.
Provided with only the billing address of a customer, a hacker can use brute force (in other words, try random combinations on four digits until the right combination is guessed) the last four digits of a customer's citizen service number. Because the login page does not limit the number of attempts, hackers can use a program that runs until the correct social security number is entered in the form.