Comcast flaws exposed partial home addresses, Social Security numbers of 26.5 million...

By Shawn Knight
Aug 9, 2018
Post New Reply
  1. Security researcher Ryan Stevenson discovered the flaws according to BuzzFeed News.

    One flaw was exploitable by visiting Comcast’s “in-home authentication” page in which customers can pay their bills without signing in. The portal asked customers to verify their account by selecting one of four partial home addresses from a list if it appeared as though the user was connected to the customer’s home network.

    Obtaining and spoofing an IP address is relatively easy and by refreshing the login page, three of the recommended partial addresses would change while the fourth (and correct) address would stay the same. With a partial address and a bit more detective work, it would be possible to determine the city, state and postal code of the partial address.

    Comcast has since disabled in-home authentication and requires customers to manually input personal information to verify their account when paying a bill.

    The other vulnerability involved a sign-up page on Comcast’s website for authorized dealers. With just a customer’s billing address, it was possible for a hacker to brute-force the last four digits of a customer’s Social Security number. Comcast’s portal didn’t restrict the number of attempts possible meaning a user could keep plugging in digits until the correct combination was found.

    After being tipped off about the vulnerability, Comcast added a rate limit to the portal.

    Comcast spokesperson David McGuire told BuzzFeed News that they quickly investigated the issues and blocked both vulnerabilities within hours, eliminating the ability to exploit them. McGuire added that Comcast has no reason to believe the vulnerabilities were ever used against customers outside of the research described in the report.

    Screenshots courtesy BuzzFeed News

    Permalink to story.

     
  2. TheBigT42

    TheBigT42 TS Maniac Posts: 263   +140

    Is anyone else wonders WTF is comcast doing with a customers SSN??
     
  3. paytonpenn

    paytonpenn TS Rookie

    It's normally required when performing the initial credit check upon sign up.
     
  4. roberthi

    roberthi TS Addict Posts: 311   +81

    Yes, but after that point, it shouldn't be stored and certainly not online.
     

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...