Comcast website leaks details of Xfinity users -- including router passwords
Security researchers have discovered a bug in the Comcast website that makes it possible to gather information about Xfinity users. As well as customer data such as home addresses, it is also possible to access wireless network details including passwords.
The bug was reported by Karan Saini and Ryan Stevenson after they found it was possible to use the Xfinity activation website to access customer data using nothing more than a customer account ID and that customer's house or apartment number.
Although the online form for activation asks for a full address, it is only necessary to supply the number part as well as the customer ID. From here it is then possible to access full address information as well as network name and password.
The vulnerability affects Comcast customers with Xfinity routers, as the password is built in. To help with ease of setup, an app can be used to configure additional devices, and this means syncing custom SSIDs and passwords -- data which can also be accessed.
The news was reported by ZDNet after the site was contacted by Saini and Stevenson, and even if customers opt to change their password this offered no protection as the site could simply be used to access the new password.
Since the news broke, Comcast removed the option from its website. The company also issued a statement, saying:
There's nothing more important than our customers' security. Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn't happen again.