cyber Breach

Comcast

May 11, 2023 1 min read
Comcast

A bug in Comcast's website used to activate Xfinity compromised sensitive information on the company's customers.

The website, used by customers to set up their home internet and cable service, was used to trick into displaying the home address where the router is located, as well as the Wi-Fi name and password.

Only a customer account ID and that customer's house or apartment number are needed, even though the web form asks for a full address.

That information could be grabbed from a discarded bill or obtained from an email.

The bug returns data even if the Xfinity Wi-Fi is already switched on.

It's also possible to rename Wi-Fi network names and passwords, temporarily locking users out.

Source: https://www.zdnet.com/article/comcast-bug-leaks-xfinity-home-addresses-wireless-passwords/

TPRM report: https://scoringcyber.rankiteo.com/company/comcast

"id": "com12229722",
"linkid": "comcast",
"type": "Data Leak",
"date": "05/2018",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'industry': 'Telecommunications',
                        'name': 'Comcast',
                        'type': 'Company'}],
 'attack_vector': 'Web Application Vulnerability',
 'data_breach': {'personally_identifiable_information': ['Home Address'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Home Address',
                                              'Wi-Fi Name',
                                              'Wi-Fi Password']},
 'description': "A bug in Comcast's website used to activate Xfinity "
                "compromised sensitive information on the company's customers. "
                'The website, used by customers to set up their home internet '
                'and cable service, was used to trick into displaying the home '
                'address where the router is located, as well as the Wi-Fi '
                'name and password. Only a customer account ID and that '
                "customer's house or apartment number are needed, even though "
                'the web form asks for a full address. That information could '
                'be grabbed from a discarded bill or obtained from an email. '
                'The bug returns data even if the Xfinity Wi-Fi is already '
                "switched on. It's also possible to rename Wi-Fi network names "
                'and passwords, temporarily locking users out.',
 'impact': {'data_compromised': ['Home Address',
                                 'Wi-Fi Name',
                                 'Wi-Fi Password'],
            'systems_affected': ['Xfinity Website']},
 'title': 'Comcast Xfinity Website Bug Exposes Customer Information',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Information Disclosure'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.