Comcast shut down an API on its Xfinity website after it was discovered to reveal home addresses, account numbers and additional customer data without permission to others sharing the same network as the customer or using an app on the network.
Services associated with the accounts were also visible to anyone with an IP address recognized by the API. Acting on an email from an anonymous researcher that was verified by two other researchers, ZDNet notified the internet company that the API could be duped into sharing customer data with others.
"As soon as we became aware of this situation, our engineers turned the feature off, which could only be accessed within a customer's home or while logged into the customer's Wi-Fi network," a Comcast spokesperson cited by ZDNet said, noting that the company has "no reason to believe that anyone's account information was improperly taken or used."
Contending that “overlooking basic API authentication illustrates a shameful degree of negligence at Comcast,” Ben Johnson, CTO and co-founder at Obsidian Security, said that while “the average consumer would only be at risk if an adversary had already gained access to their network” a small or midsized business would be at greater risk.
“All an adversary would need to do is ask for the Wi-Fi password (which they would likely be given) and then get their hands on highly sensitive customer information, including customer location data which is the most valuable information a company can have,” said Johnson. “And the retailer would have no way of knowing until the ransom note showed up.”
He called for security teams “to think through all aspects of authentication and authorization,” cautioning that “assuming that adversaries can't get access to certain areas of the business is no way to build a security strategy.”