Portions of the home addresses and Social Security numbers of more than 26 million Comcast Xfinity customers were exposed thanks to two security flaws.
The vulnerabilities were discovered by security researcher Ryan Stevenson and reported by BuzzFeed News on Wednesday. Comcast emphasizes that it has fixed the problems: “We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers,” spokesperson David McGuire told Slate in a statement. “We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
The first flaw exposed customers’ partial home addresses on an “in-home authentication” page—a feature that allows customers to pay bills online without signing in if using a device connected to their home IP address (a numeric designation that identifies a computer’s location on the internet). All customers would have to do to verify their identity was select their correct partial home address from one of four options displayed. This was easily exploitable, BuzzFeed pointed out, because a hacker could have spoofed a customer’s IP address and then refreshed the page repeatedly to find their home address, since the correct answer would not change with each refresh. (Finding someone’s IP address is relatively simple.) That would give the hacker the first digit of the street number and the first three letters of the street name—enough to find the city, state, and postal code of the partial address, meaning that the hacker could determine the person’s specific location. Comcast has since changed the page so it requires customers to provide more information to log in.
The second flaw exposed the last four digits of customers’ Social Security numbers on the sign-up page for Comcast’s Authorized Dealer website, which helps customers find sales agents at non-Comcast retail locations. There was no limit on the number of times someone could submit the form, so a hacker would simply have had to input someone’s billing address in the respective boxes. Then, in a box titled “Last 4 Digits of SSN,” the bad actor could have put in random four-digit combinations (or used special software to do so) until they discovered the correct combination. Comcast has since limited the number of attempts.
The company has not found any indication that anyone actually exploited these vulnerabilities, but its review of the situation is ongoing. Comcast does have a submission form for reporting security flaws, though it does not offer a bounty program or compensation in exchange for this information. But Stevenson, the security researcher, did not report his findings to Comcast, according to BuzzFeed.
This isn’t the first time that Comcast customer data have been vulnerable. ZDNet has found two recent flaws: In May, it reported that a bug on the Xfinity website left customers’ Wi-Fi passwords and home addresses vulnerable. In June, it revealed that another page on the Xfinity website had exposed customers’ account numbers and home addresses.