As if you needed yet another reason to loathe your ISP, Comcast has dropped the ball when it comes to properly securing its own wireless products. A pair of security researchers have uncovered a bug on Comcast’s website that allowed unauthorized disclosure of Xfinity customers’ personal data, according to a report from ZDNet. All you needed to ruin someone’s day (or gain unauthorized access to their home network) was an account number and a partial address. Terrible timing, considering Comcast is in the process of launching its own line of mesh network routers.
Researchers Karan Saini and Ryan Stevenson say they uncovered the security flaw on Xfinity’s activation page, used by customers to set up their Xfinity-issued router. By entering a user’s Xfinity account number (obtained via email, a mailed bill, or a bit of social engineering), along with the house or apartment number, the researchers were able to obtain a user’s full address, along with their router SSID and password.
Malicious individuals could take advantage of the lax security measures and use that access to rename the router and change the password to lock users out of their own network. Even if authorized users changed the password themselves, entering the aforementioned information would yield the updated wifi password.
“Within hours of learning of this issue, we shut it down,” a Comcast spokesperson told Gizmodo. “At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”
To avoid the issue entirely, you could always purchase your own wifi router, which doesn’t share its SSID or password information with Xfinity. Hell, you should probably buy your own cable modem while you’re at it, if only to get rid of the ridiculous monthly surcharge associated with modems and routers.