Two security researchers uncovered a bug within Comcast’s online activation portal that revealed a customer’s home address along with the Wi-Fi network name and password in plain text. Within hours of learning of the flaw uncovered by Karan Saini and Ryan Stevenson, Comcast shut down the Xfinity activation site, citing customer security as its top concern.
In order for customers to activate their routers, they have to visit an Xfinity activation website to enter some user information in order to setup their router and service. Saini and Stevenson discovered that even though the website asks for a customer’s full address, just an apartment or house number was needed along with an account ID. Both pieces of information required to gain access to the activation portal could easily be found on a discarded bill.
The activation portal continues to work and return information about the customer and the Wi-Fi network even after the router and home broadband service has been activated.
If a customer is using a Comcast or Xfinity-branded router, then the activation portal continues to return updated network information, so if a customer changes the network name or password, that latest information would be displayed on the activation portal. ZDNet noted that there’s no way for a customer to opt out of this system. For customers using their own router, the publication discovered that the portal doesn’t have access to the Wi-Fi network name and password to display.
On the primary level, the security concern is that customer’s network data and home address isn’t protected by requiring information that’s not readily available through an account statement. Further, once a hacker obtains the network data, they can use it in a malicious manner if they’re within close proximity to the Wi-Fi network. The network ID and password could be used to gain access to unencrypted web traffic that passes through the router. Additionally, hackers can also temporarily lock users out by changing the network name and password once they have access.
Comcast has since disabled this feature on its website to correct the security flaw. “Within hours of learning of this issue, we shut it down,” a Comcast spokesperson told ZDnet. “We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.” In a separate statement to Gizmodo, Comcast noted that it doesn’t believe that any data was improperly accessed as a result of this bug.
News of the bug comes at a time when Comcast is launching its own mesh networking accessory.
