Security researcher Ryan Stevenson spotted a vulnerability in Comcast Xfinity's in-home authentication system, which exposed the partial home addresses and partial Social Security numbers of 26.5 million customers.
The authentication feature is designed to make it easier for customers to access their accounts and reduce instances of password resets by letting users choose their correct home address from a displayed list of four partial addresses, according to an Aug. 8 BuzzFeed report.
The problem is that Comcast knows the customer's correct address by looking at the webpage visitor's IP address. This method could allow an attacker to find a customer's partial address by spotting the desired target customer's IP address and repeatedly refreshing the login page.
The threat actor would then see three of the suggested partial home addresses change, while only the correct one belonging to the targeted customer would remain the same.
Another vulnerability: the feature displays the first digit of the customer's street number and the first three letters of the street where they live, with asterisks hiding all other characters. But even from this limited information, the attacker could determine the customer's city, state, and postal code using an IP lookup website.
Stevenson also found the vulnerability could allow an attacker to brute force guess a customer's social security number using a sign-up page for Comcast's Authorized Dealers -- available via the website -- that allowed unlimited login attempts.
Comcast has limited this feature and patched the vulnerabilities after BuzzFeed informed them of the issues.
“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers," A Comcast spokesperson told SC Media. "We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
