Two security researchers, Karan Saini and Ryan Stevenson, discovered a bug in Comcast’s website used to activate Xfinity routers – the site could return sensitive information on the company’s customers. Anyone with a subscriber’s account number and street address number would receive their Wi-Fi name and password.
What the bug was about
The Xfinity activation site was meant to help people set up their Internet connection for the first time: Ideally, you would enter your data, and Comcast would send back the router credentials while switching on the service.
However, it turned out that the site provided the sensitive details to anyone with the customer account ID and that customer’s house or apartment number — even though the web form asked for a full address. In fact, a determined attacker could simply guess the house or apartment number. If they did, the website would instantly give them your router’s SSID and password, enabling them to connect to the Wi-Fi network and use it however they like or monitor its traffic. They could also change the network name and password, temporarily locking the actual subscriber out.
The wireless name and password were sent on the web in plaintext, adding further to the security risk. In addition, the bug allowed to “activate” an account that was already active.
What the investigation found
ZDNet, who were the first to report
on the bug, had tried to get the details of two Xfinity customers and managed to obtain their full home addresses and zip codes – which both customers confirmed.
The site provided the Wi-Fi name and password for one of the two customers, who uses an Xfinity router. The other customer was using his private router – and the site didn’t return the network name or password.
After ZDNet’s publication, Comcast removed the option from its website and later stated: “Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”
How to protect your data in such cases
While the website bug was still active, it was no good changing your Wi-Fi password — Comcast would have just provided any malicious actor the new one. After the password changed, rerunning the details would return the new login credentials since they are synced with your account.
Now that the bug has been patched, you can change your password securely.
Should anything like this incident happen again, one thing you can do is treat your home network the same was as a public one — make sure encryption is enabled before you conduct any private business like shopping online.
Using a VPN to encrypt your online connection
would make sure that, in case an attacker has obtained access to your network, they cannot intercept your Internet traffic and steal your social media or banking passwords, files, and photos.