Jump to content

Recommended Posts

Posted

C3i6KUy.jpg.d05ddfa25e3f25798901f9ce905b91ff.jpg

 

Comcast patched a bug Monday that under certain conditions leaked customer SSID names and passwords of Xfinity routers.

 

The flaw was accessible via the Comcast website used by customers to activate and manage their Xfinity router.

The bug did not affect Comcast customers that used their own private routers.

 

Researchers Karan Saini and Ryan Stevenson discovered the bug on Monday.

Saini told Threatpost after notifying the media of his discovery, Comcast was alerted of the glitch and the bug was quickly patched.

 

The prerequisite for the website vulnerability was that the researchers needed to have an Xfinity customer’s account number and just the street number (but not the name of the street) of the billing address used at the location of the customer leasing the Xfinity router from Comcast.

 

With those two pieces of data, Saini discovered a user could access the full address of the Comcast customer’s account, along with the SSID name and password associated with the customer’s Xfinity router.

Access also allowed Saini to change the SSID password.

 

Comcast released a statement on Monday: “Within hours of learning of this issue, we shut it down.

We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”

 

Attack scenarios range from malicious users interested in logging into a customer’s password-protected Wi-Fi network to snoop on or hack endpoints on the local network.

Other possible attack scenarios include performing a man-in-the-middle attack on the shared network or just stealing a neighbor’s Wi-Fi.

Lastly, an attacker could lock a customer out of their own Wi-Fi network by constantly changing their SSID password.

 

This becomes essentially a backdoor of sorts,” Saini told Threatpost.

He pointed out that Comcast customer account information can be plucked from a number of places, including the trash, but also sometimes online.

A search of public customer service queries by Comcast customers online revealed that many use their account number to identify themselves to Comcast online customer service agents.

 

Saini is known for his previous research where he discovered an Uber two-factor bypass bug affecting its customers along with a vulnerability in India’s Aadhaar system, a 12-digit unique identity number.

Saini identified a bug that allowed him to extract personal phone numbers linked to Aadhaar numbers.

 

 

Source:

Comcast Patches Router Bug That Leaked Some Wi-Fi Passwords

76c90dd0e79a714317a8daeecc1584d2.png

  • FPCH Admin
Posted
Makes me really glad that I left Comcast and went with Verizon.

~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~

~~Robert McCloskey~~

Posted

I use Comcast. I don't use their hardware - problem solved.

 

I had a MAJOR problem with Verizon in 2004. I don't trust them. I don't trust Comcast either! But I distrust Comcast less than Verizon. :watch: Sad, isn't it.

  • FPCH Admin
Posted

I had a ongoing problem with Comcast and my internet.

Comcast not only, could not, figure out what the problem was, they charged me for three service calls and didn't solve the issue.

I went with Verizon and I have had no complaints, so far.

I'll trust them until or unless they give me reason not to any more.

~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~

~~Robert McCloskey~~

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...