Slashdot Mirror
Comcast Website Bug Leaks Xfinity Customer Data (zdnet.com)
An anonymous reader quotes a report from ZDNet: A bug in Comcast's website used to activate Xfinity routers can return sensitive information on the company's customers. The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password. Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug. Only a customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address.
ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code -- which both customers confirmed. The site returned the Wi-Fi name and password -- in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router -- and the site didn't return the Wi-Fi network name or password.
ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code -- which both customers confirmed. The site returned the Wi-Fi name and password -- in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router -- and the site didn't return the Wi-Fi network name or password.
Don't even need a web site to look up physical locations of virtually everyone with my old ISP. They had the dumb ass bright idea to include the connect device's MAC address listed in the reverse IP address lookup of everyone on their /16 block. Add or subtract 1 or 2 from their MAC address (the WAN port on their router) to get the Wifi MAC address. Use that MAC address with online public Wifi geolocation databases. BAM. I instantly have physically mapped locations of virtually every single user of the ISP based on IP address alone. Which, again, the IP addresses are not hard to figure out, since the ISP is all contained in a single /16 block.
You're a Comcast customer. I cannot imagine your life being any worse than that.
Probably not, but it probably would at least have given their customers some sort of legal recourse, of which right now they have none.
I'm a business user. I can call 24x7 and within 60 seconds be talking to a real English speaking tech about bits and bytes, DHCP, speeds & outages, or whatever connectivity issues I can think of and we can talk in real-time -- no scripts, "I'll research this bite thing you speak of and get back to you", or anything like that. One guy was surprised about my internal network config (he'd SSHed into the router) and we talked a few minutes about pros and cons.
The worst I've had is like a 90-second hold researching how bad an outage was (storm hit multiple points and devices) and trying to determine an overall ETA. They were close --within 2 hours -- and I suspect they were pulling a Scotty.
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
You can probably put their PoS modem in bridge mode and stick your own router behind it.