Simple Flaw Exposed Data On Millions of Charter Internet Customers

← Back to Stories (view on slashdot.org)

Simple Flaw Exposed Data On Millions of Charter Internet Customers

Posted by samzenpus on Wednesday May 20, 2015 @02:05PM from the protect-ya-neck dept.

Daniel_Stuckey writes: A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of millions of its customers. Security researcher Eric Taylor discovered the internet service provider's vulnerability as part of his research, and demonstrated how a simple header modification performed with a browser plug-in could reveal details of Charter subscriber accounts. After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.

29 comments

Min score:

Reason:

Sort:

And they didn't sue him? by Anonymous Coward · 2015-05-20 14:16 · Score: 0

Amazing
You Won't Believe This One Simple Header Mod by QuasiSteve · 2015-05-20 14:33 · Score: 4, Informative

I figured i'd keep the subject in tone with TFS's 'upworthiness'.
But unlike TFS and Upworthy et al, I'll spoil it for you:
Their servers used the originating IP address to identify a connecting client as being a subscriber. They also followed "X-Forwarded-For" - a header normally used to indicate that the connecting client is effectively just being a proxy. Thus by manually setting this header to a valid subscriber's IP address, the attacker can trick the server into thinking that their client is that of the subscriber.
Ridiculous by Etherwalk · 2015-05-20 14:51 · Score: 4, Insightful

This is Security 101 stuff... as in, you read a good book on security and you know simple header changes should never be enough to reveal data of another customer. IIRC David LeBlanc's book mentioned a story where he pointed out the problem for a bank once...
Fundamentally security for most companies is still a "don't invest unless we get caught not investing" type of expense. Like landlords who don't worry about providing... electricity...
1. Re:Ridiculous by Anonymous Coward · 2015-05-20 16:02 · Score: 0
  
  Charter needs a lot of 101 courses. They are a small, but terrible company.
2. Re:Ridiculous by Joe_Dragon · 2015-05-20 16:32 · Score: 2
  
  But better channel map and more HD then comcast.
3. Re:Ridiculous by cusco · 2015-05-20 16:44 · Score: 1
  
  30 megabit Internet connection to the home? Give me that amount of terrible, please!
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
4. Re:Ridiculous by Anonymous Coward · 2015-05-20 18:53 · Score: 0
  
  60 Mbps min. in my middle of nowhere town.
5. Re:Ridiculous by rezme · 2015-05-21 00:21 · Score: 1
  
  I'd say it's more akin to a landlord not providing.... locks.
6. Re:Ridiculous by Bengie · 2015-05-21 00:37 · Score: 1
  
  Charter is 100Mb min around here and when I last used them several years back, the Internet was pretty good. They've also been doing a lot of upgrades, all new COAX. Of course none of this started until the other ISP went fiber and is kicking the crap out of them. Gotta love competition.
7. Re:Ridiculous by Anonymous Coward · 2015-05-21 02:20 · Score: 0
  
  Outskirts of St. Louis (jeffco) and I've got 100/7 residential service from Charter. It's $60 (just internet).
  Their only competition in the area is AT&T, which tops out in theory at 24/3 (for $75) and in practice at 12/3 (for $55).
8. Re:Ridiculous by Anonymous Coward · 2015-05-21 02:44 · Score: 0
  
  60 here in Fort Worth, Texas as well.
9. Re:Ridiculous by Anonymous Coward · 2015-05-21 03:17 · Score: 0
  
  Don't be ridiculous, never is a strong word. If the keys are large and evenly distributed, such as UUID4, then they are unguessable.
10. Re:Ridiculous by GrumpySteen · 2015-05-21 06:11 · Score: 1
  
  They have 6 million customers and revenue of about 8 billion dollars a year.
  You have quite an odd definition of "small".
Re:Bad Programmer :) by ckatko · 2015-05-20 15:18 · Score: 1, Flamebait

Yeah, PHP and Javascript programmers are so much better.
Re:Bad Programmer :) by viperidaenz · 2015-05-20 15:19 · Score: 1

It appears to be .Net
The customer login page is called login.aspx
Perhaps you meant C#?
Simple flaw exposed customers data .. by nickweller · 2015-05-20 16:03 · Score: 2

'Using a lightweight add-on for Firefox to modify HTTP headers, called "X-Forwarded-For Header," an attacker essentially could pass off a Charter customer's IP address as their own. The plug-in, as its description explains, "Inserts a X-Forwarded-For field into the HTTP Request header. Some servers look at this field to identify the originating IP address."'

What platform does Charter Communications run on, who designed the platform, and what were their names?
...it had installed a fix within hours... by Anonymous Coward · 2015-05-20 16:29 · Score: 0

...and which point Eric Taylor was promptly cuffed and arrested under the Auernheimer Vulnerability Disclosure Act.
#parody.
Not The Worst by Guy+From+V · 2015-05-20 17:59 · Score: 1

As a Charter customer, I've been relatively satisfied with them for over 15 years. I figure I must have it better than Comcast, Cox and whatever customers, I mean...because they are Comcast and Cox customers and shit.
1. Re:Not The Worst by Guy+From+V · 2015-05-20 18:07 · Score: 1
  
  But I actually forgot what this story was about and my data and privacy and stuff, so I'll get back to everyone about this.
2. Re:Not The Worst by Anonymous Coward · 2015-05-21 01:52 · Score: 0
  
  I am a charter customer, I HATE them. The website has given me a log in redirect loop for the past 6 months so I've had to call to pay my bill, their customer service is *IMPOSSIBLE* to reach a person to complain on, they make it nearly impossible to cancel service, and they are the *ONLY* provider who serves my address, in the middle of a crowded city. Fucking monopolist bullshit evil if you ask me, and I pay out the ass $60 a month for a connection that gets only about 5-10MB/s, something that a poor peasant in South Korea can get for less than 5 bucks a month.
  If you are satisfied with such an anti-competitive, monopolistic shit company like that then I can't imagine what wouldn't satisfy you.
3. Re:Not The Worst by Anonymous Coward · 2015-05-21 02:04 · Score: 0
  
  ''better than comcast'' is a really, really low bar.. ya better than comcast, perhaps, but charter still sucks donkey balls.
Re:Bad Programmer :) by MobileTatsu-NJG · 2015-05-20 19:12 · Score: 1

Good programming languages cannot save a bad design.

--

"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
One Weird Trick that can steal millions by Anonymous Coward · 2015-05-20 19:21 · Score: 1

Companies hate him!
Charter kinda sucks by Khyber · 2015-05-21 02:15 · Score: 4, Interesting

As a Charter customer, here's how lax they are.
1. Order just internet and phone service, lowest-tier speeds. They come and hook you up with a combo phone/modem, stuff works, you're cruising the internet.
2. Wait two months, call Charter and ask for an upgrade to their maximum-speed plan.
3. They come out with ANOTHER modem (without the phone built-in,) on the claim you need that modem to attain the higher speeds.
4. Tech hooks up the modem, gets it set, leaves.
5. The other modem NEVER gets deprovisioned for internet.
6. You now have two IP addresses and two maximum-speed connections for the price of one. Yes, that other modem is MORE THAN CAPABLE of handling Charter's maximum speed.
7. Multiplex those motherfuckers together and absolutely RAPE Charter's network. They don't seem to care all that much.
So to find out that they are so lax as to allow something like this to happen, not a surprise, at all.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
1. Re:Charter kinda sucks by Anonymous Coward · 2015-05-21 05:44 · Score: 0
  
  Except they're supposed to take the old equipment with them...
2. Re:Charter kinda sucks by Khyber · 2015-05-21 06:52 · Score: 1
  
  They can't do that when the modem they give you on the second run is data only with no phone equipment built-in.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
3. Re:Charter kinda sucks by Khyber · 2015-05-21 06:58 · Score: 1
  
  Bah, submitted too soon - they do this so they can ding you on the extra equipment charge.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
weev by Anonymous Coward · 2015-05-21 14:36 · Score: 0

that guy should be thanking his lucky stars he didn't try that with at&t