Slashdot Mirror
Comcast Website Bug Leaks Xfinity Customer Data (zdnet.com)
An anonymous reader quotes a report from ZDNet: A bug in Comcast's website used to activate Xfinity routers can return sensitive information on the company's customers. The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password. Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug. Only a customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address.
ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code -- which both customers confirmed. The site returned the Wi-Fi name and password -- in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router -- and the site didn't return the Wi-Fi network name or password.
ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code -- which both customers confirmed. The site returned the Wi-Fi name and password -- in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router -- and the site didn't return the Wi-Fi network name or password.
Would Europe's new GDPR have prevented this from happening?
wow, first past the piost, I am great! making slashdot great afain! cofefe!!
Comcast's email system is also responsible for provisioning the modems. In other words, if you hack it you can upload a malicious boot file to the modem.
Just wondering... I'm still getting spam related to the Russian breach.
Don't even need a web site to look up physical locations of virtually everyone with my old ISP. They had the dumb ass bright idea to include the connect device's MAC address listed in the reverse IP address lookup of everyone on their /16 block. Add or subtract 1 or 2 from their MAC address (the WAN port on their router) to get the Wifi MAC address. Use that MAC address with online public Wifi geolocation databases. BAM. I instantly have physically mapped locations of virtually every single user of the ISP based on IP address alone. Which, again, the IP addresses are not hard to figure out, since the ISP is all contained in a single /16 block.
You're a Comcast customer. I cannot imagine your life being any worse than that.
Wow, who knew this internet thing was so complicated, am I right guys?
... to own your own router instead of paying Comcast’s exorbitant monthly rent.
#DeleteChrome
I'm a business user. I can call 24x7 and within 60 seconds be talking to a real English speaking tech about bits and bytes, DHCP, speeds & outages, or whatever connectivity issues I can think of and we can talk in real-time -- no scripts, "I'll research this bite thing you speak of and get back to you", or anything like that. One guy was surprised about my internal network config (he'd SSHed into the router) and we talked a few minutes about pros and cons.
The worst I've had is like a 90-second hold researching how bad an outage was (storm hit multiple points and devices) and trying to determine an overall ETA. They were close --within 2 hours -- and I suspect they were pulling a Scotty.
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
comcast public hotspot that run on there router at homes may be part of the hole.
to bad you can't with static ip on comcast
You can probably put their PoS modem in bridge mode and stick your own router behind it.
Also a business customer here. They treat me GOOD. It's more expensive for the same speed, but the connection is solid and the speed is reliable.
Comcast business was really crappy when my company had a modem hardware issue causing random outages for 5-15 minutes. It first took a long time for them to acknowledge the problem (they would claim that they didn't see any outage and our modem had not rebooted), and when they finally sent out a tech they refused to swap our modem for a different model until more weeks of back and forth. This issue spanned months and cost hours of lost employee time.
On the plus side, their support is willing to acknowledge when there is a problem on their end and not make you go through the whole ritual of reboot everything. Personally, I have had good experiences with non business customer support.
To play devil's advocate here it does say you need the customer ID, aka account number for this to be possible. There are only a couple ways to get an account number even if you are trying to get your own account.
1.Steal a copy of the bill.
2. Login to the account online(meaning you already have their account password)
3. Be told the account number by a rep whom you have to have the address/ssn for anyway
So someone who has managed to breach one of these security measures and who already knows enough about their address to have an apartment number or house number seriously someone in this situation has worse things off than their wifi password bring compromised as such person could just call into customer service and order anything.
My #1 peeve with those POS modems is this bridge mode. Let me clarify things, its psuedo bridge mode. Meaning its faked the modem's firmware runs at any given time 4 wifi broadcasts only 2 of which turn off in bridge mode. 2.4 & 5ghz xfinity wifi hotspot, and a hidden network for the home security touchpad to connect to.
How can that be? Does that only apply to Comcast supplied residential gateways that are both cable modem and WIFI router in one? I never use Comcast's gateways. They are terrible. For the longest time all they supported WIFI-wise was 2.4 ghz 802.11g. If you wanted to use your own router, you had to set their gateways in bridge mode which different techs had varying opinions about whether that would work well with their particular Arris hardware. I decided to go with my own router and mesh WIFI system. Seriously, why would you pay a monthly rental fee for a piece of junk not only from a technical perspective but now also from a security perspective?
We'll make great pets
The only thing worse than Comcast is ....
Cox, AT&T, Verizon, or one of the 3M/384K DSL providers forced to use old DSL from AT&T.
I don't have Xfinity. I have a Business connection. It is slow - 15/3 Mbps. No monthly data caps. I get to speak with humans from my country, seldom with an accent. Called on Easter Sunday around 5am - outage - and got connected to a guy in Texas somewhere who actually knew what was going on AND understood networking. He was bored, so we spent 20 minutes trying to find the limitation of user password complexity on the router. It accepted 20 character passwords without punctuation, but not 21 characters. Every 24 hours, the password was reset back to the default (you can look it up). Since we have a /29 subnet, we can mainly enable and disabled bridge mode but not much else on the system. My router handles the 5 IPs, so there isn't much risk. I consider the Comcast router to be part of the untrusted internet.
I've worked at and with a few of the companies in my list. They deployed BlueCoat devices when I was there. If you know about BC, then you know why. I don't use any services from that ISP company.
Comcast is expensive. Comcast is slow. I can pay $500/month for a GigE connection with an $800 installation fee here. No competition. I cannot get GigE from any other provider. I did look at setting up a 20GHz LOS connection using Ubiquity wireless relays a few years ago. Would need to build a tower to get above our trees for it to work AND have to pay for the internet on the other side. It was about $3K for all the equipment that should last 10 yrs. About that time, I saw lots of different telecom trucks putting new lines on the main road nearby. It is just a matter of time for competition to arrive and GigE to be around $150/month. Only google forces competition below $100.
Comcast has great service in many areas, it has terrible service in many others. They also don't always know which department handles a given account, in my past experience. Some of this might have improved.
,however, don't use their router or their DNS. I know how to insure I'm getting what I pay for. Those who are minimally technical or not technical may have worse outcomes.
Currently, I use them and get reliable internet. Their major policies are mostly OK. They don't block ports. They answer queries and transfer me if I'm too technical.
I
Cheap storage VM.
Yum, priority support, and no data caps, but still no useful SLA. The crap at my office goes down almost every day (usually for just a few seconds, but enough to break stuff), we're on a seriously overloaded plant (I actually got them to log into their system in front of me; they said they'd do something about it, but nothing was ever done), and techs trying to babble about SNRs (they're fine, all but one channel was over 30, and that one was just under). Also, forcing folks to use one of two crappy routers to support static IP addresses is fun (but that's at any tier).
Indeed, the options provided to us where I work were an SMC router with completely broken IPv6 support, and a Cisco router that may or may not have had that buggy Intel Puma 6 chipset (whatever it was, it imparted erratic latency on all traffic traversing it, had several% packet loss overall, dropped out several times per day and was otherwise a mess... but it did have decent WiFi)
There is no XUL, only WebExtensions...
Same connection you'd be getting as residential, you're paying for priority support and, i think, no data caps. Doesn't appear to have any other benefits, unless you like a lighter wallet.
There is no XUL, only WebExtensions...
You missed the point. Comcast Business offers you SLAs among other things. If you live in an area with 'terrible service' then you should consider Comcast Business. Every time service goes out and they don't fix it within 2-4 hours, you get a free month of service. Ergo, areas with terrible service should be able to get free internet until they make their service better than terrible.
But something tells me you just want to bitch about Comcast rather than make lemonade with the lemons that life dealt you.
Hate your service? Pay double! That will make it twice as good.
You would hope that the xfinity hotspots are on a separate isolated network anyway, so that doesn't necessarily negate the bridge. The modem would probably be getting two additional private IPs from the uplink to do the other business on.
Same connection you'd be getting as residential, you're paying for priority support and, i think, no data caps. Doesn't appear to have any other benefits, unless you like a lighter wallet.
I believe you get multiple static IP addresses (at least one, anyway), reverse DNS, and no filtering on your inbound service ports. So you could actually use it as a mail server, for instance. Comcast home networks won’t work that way, and they won’t let you use reverse DNS so even if you bypass it with different ports it just gets sent to /dev/null by the receiving server.
They charge you $8-10/month for your modem. I bought mine for $160 back in 2011. So my recovery time was many years ago. My manager had been renting for 12 years - she complained to me about her bill and I told her to buy her own modem. He husband bought one the following week.
Yet another reason to avoid their crappy XFinity wi-fi routing features. Mine are turned off so I can use my own router, which gives me full control and allows me to lock things down. Convincing Comcast to bridge the router was a real pain, but keeping their techs tied up for three days convinced them I wasn't going to give up, and they finally relented.
*** *** You're just jealous 'cause the voices talk to me... ***
So the bug exposes people's names and addresses? God forbid one of these security researchers ever opens a phone book.
Yeah, a business needs service now. Free service later doesn't do much good. For what it's worse, the problems I had with, "not my department" were business class service.
I've always been pretty satisfied with their consumer service. I use the X1 dvr and it's pretty awesome. Their on-demand selection is head and shoulders above AT&T's. Their internet is totally suitable, especially if you know what your doing.
My main complaint is that even if you know what your doing, they play weird games on the backend sometimes. These can vary by region.
Cheap storage VM.
No blocked ports. On residential, I cannot operate an e-mail server. No outbound SMTP whatsoever.
Comcast Business is a ploy to get people to pay more for an unfettered, dumb pipe. Which is what they *thought* they were buying to begin with.
We need regulation to get rid of this shit. Either sell me a dumb pipe or don't offer service in my area at all.
As someone who's interested, and owns their own modem, what are the best steps to take to "know what I'm paying for"? I've heard a lot of speed test sites are pre-cached and spoofed to give you incorrect numbers. What process do you use to "feel out" your network environment?
I'll leave your comment in a separate tab so I can reply if/when you decide to reply. No hit-n-run commenting here. :)
I usually use afew different speedtest sites.
https://sourceforge.net/speedt...
http://speedtest.xfinity.com/
https://fast.com/en/
I also monitor my routers bandwidth and compare to xfinity's graphs. I test speeds inside various VPN's if I'm suspicious about site or type throttling. I have some iperf endpoints I can use for testing more in depth.
Alot of times, it's just noticing whether a problem exists, I keep up a remote connection to my home using x2go most days, so I notice outages. When I notice problems, or my wife does, I can drill down and figure out if it's DNS, wireless, or an actual ISP problem.
Cheap storage VM.
Sweet, thanks for the info!