Simple Flaw Exposed Data On Millions of Charter Internet Customers

Daniel_Stuckey writes: A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of millions of its customers. Security researcher Eric Taylor discovered the internet service provider's vulnerability as part of his research, and demonstrated how a simple header modification performed with a browser plug-in could reveal details of Charter subscriber accounts. After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.

You Won't Believe This One Simple Header Mod

[QuasiSteve]

I figured i'd keep the subject in tone with TFS's 'upworthiness'.

But unlike TFS and Upworthy et al, I'll spoil it for you:

Their servers used the originating IP address to identify a connecting client as being a subscriber. They also followed "X-Forwarded-For" - a header normally used to indicate that the connecting client is effectively just being a proxy. Thus by manually setting this header to a valid subscriber's IP address, the attacker can trick the server into thinking that their client is that of the subscriber.