Comcast Security Flaw Exposes Partial Addresses, Social Security Numbers of 26 Million Users

olsmeister writes: A security flaw in the Comcast Xfinity online portal exposed social security numbers and partial home addresses of more than 26.5 million subscribers, according to security researcher Ryan Stevenson. Comcast says the flaws have already been patched and that it currently has no reason to believe that the flaws were ever exploited. BuzzFeed reports of the two vulnerabilities: One of the flaws could be exploited by going to an "in-home authentication" page where customers can pay their bills without signing in. The portal asked customers to verify their account by choosing from one of four partial home addresses it suggested, if the device was (or seemed like it was) connected to the customer's home network. If a hacker obtained a customer's IP address and spoofed Comcast using an "X-forwarded-for" technique, they could repeatedly refresh this login page to reveal the customer's location. That's because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same. Eventually, the page would show the first digit of the street number and first three letters of the correct street name, while asterisks hid the remaining characters. A hacker could then use IP lookup websites to determine the city, state, and postal code of the partial address.

In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast's Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers' Social Security numbers. Armed with just a customer's billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer's Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form. After learning of these vulnerabilities, Comcast disabled in-home authentication and put a strict rate limit on the portal. Here's what a Comcast spokesperson had to say about the matter: "We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."

Full Location

[darkain]

A local ISP near me puts the device's MAC address into the reverse DNS lookup of every IP address assigned on their network. Just increase/decrease the MAC address by 1 or 2, and you'll usually get the routers WiFi MAC instead of WAN MAC. With the WiFi MAC in hand, you can use publicly available free online tools to geolocate the access point down to about a 2-4 house accuracy. In other words, you can get near-exact physical location of any user on this ISP from just their IP address. ... It has been like this for over a decade too ... Just verified a few minutes ago that it is indeed still in place ...

Re:Full Location

[Jane+Q.+Public]

This leak looks like lawsuit material to me.

What's with these companies, can't keep basic data secure?

Were they born in the '40s?

Re:Full Location

Comcast allows you to use your own equipment. Barely-sorta. But it beats paying $10 a month rent on top of having an unconfigurable subnet locally outside of your control. #Sheep to the ISPlaughter

Re:Full Location

[Epsillon]

Why do they need an SSN in the first place? If I'm completely honest, we have to bear some of the responsibility for these breaches of security by idly allowing any and all personal information to be collected by any old munchkin. An ISP does not need your SSN, date of birth or anything else beyond your address and payment details.

For web forms that will not enable the Next button without information they don't need, I usually fake it. That fake data goes into my password manager as a third level of security that only I know.

Re:Full Location

[SeaFox]

Why do they need an SSN in the first place? If I'm completely honest, we have to bear some of the responsibility for these breaches of security by idly allowing any and all personal information to be collected by any old munchkin. An ISP does not need your SSN, date of birth or anything else beyond your address and payment details.

They need your SSN for checking your credit, which is used to determine if you will be required to pay a deposit on your service. Remember that Comcast isn't just an Internet provider, they also sell phone and pay TV service. Service people can run up a pretty penny in post-paid charges on.

If you're about to say "they can't force you to give them your SSN". You're right. But you also can't force them to give you service. They could also agree to give you service only if you pay a huge deposit (which will be held on your account and refunded after a certain number of billing cycles or cancel service, depending on their policies. It's not a legal requirement, it's a de facto one.

Re:Full Location

Yes, no word of who designed that botched interface and the chain of approval by clearly unqualified people.. Their security guys asleep at the wheel? CIO not taking responsibility. This is before so timing/response times sideband attacks are planned.Guess a question/s for signon is a shitty idea. Yet another shortcut logon id trick - brom a defective consultant. Sue Grabit and Runn Lawyers will fix that!

Re:Full Location

[ShanghaiBill]

Why do they need an SSN in the first place?

Better question: Why do we pretend that SSNs are "secret"?

They are already semi-public, and generally used as a "citizenship number". There have been so many breaches that nearly every SSN has be leaked multiple times. Why not just go all the way, and make SSNs fully public? Then people could just write it on an envelope, and the USPS would deliver the letter to your current address.

If companies want something for authentication, they would have to use something sensible instead.

Re:Full Location

NOPE! You just have to pay a deposit potentially or ask for a manger to override. No reason to give it. https://forums.xfinity.com/t5/Customer-Service/You-should-not-need-my-social-security-to-set-up-service/td-p/2587380

Re:Full Location

cable companies invoice ahead a month, and payment due dates are usually before or very shortly after the billed month 'starts'. they have ridiculous late fees and are often quick to pull the plug (generating even more extra fees to 'reconnect'). there is absolutely no reason they "need" a social security number, nor any reason they "need" to check a customer's credit score. they have more than adequate protection against people who don't pay their bills.

if someone builds-up a ppv bill, they can reject future ppv orders until the bill is paid instead of letting the bill get out-of-hand. how much can easily be set based upon the customer's payment history with the company.

if someone orders a special event and doesn't have a satisfactory payment history with that company, they can get payment for that event at that time.

if they have internet overage charges. fuck them. they shouldn't be ripping customers off.

if they offer phone service, a reasonable amount of long distance, based upon payment history with that company would be allowed before they may request a deposit against future long distance charges (most cable-based phone service is 'unlimited' domestic long distance).

if they sell a multi-year contract to a residential customer in order to 'save' them money.. with early termination fees and all that other bullshit to generate even more profits. fuck them. EVERYBODY, new customers or old, rich customers or living paycheck-to-paycheck, should be paying the same price for the same service and that service should be available to all, and on a month-by-month bases without term contracts.

again... there is NO FUCKING REASON a cable company (or a telephone company, or a satellite tv company), NEEDS a social security number or to run a credit check on a customer.

they insist upon social security numbers so they can match customers to third-party databases and compile customer profiles to sell for even more profits. nothing more.

Re:Full Location

Then people could just write it on an envelope, and the USPS would deliver the letter to your current address.

Back in the early 90s when I was in the Navy, we did use our SSN in our mailing address, at least in boot camp.

Like you say, it isn't really a secret and it wasn't until a few years later that you heard everyone saying not to tell anyone your number and then we started pretending it was a secret.

Re:Full Location

#Sheep to the ISPlaughter

What's so funny about it?

Re:Full Location

[Epsillon]

This is confusing the issue. I'm not trying to imply that the SSN is a secret. I'm implying that it's UNIQUE. I, personally, don't want everything I purchase, every service I sign up for, every bill I pay (yes, I know, card issuers can track this which is why i prefer cash) or everywhere I go to be uniquely traceable on some database with an easily verifiable primary key.

It's harder to avoid than it first appears. Every little unique fact about you is one more bitmap to pry into your life and you can only limit it one piece at a time. It's far better if you never accept the linkage in the first place because, once you've given a piece of information away, you've completely lost control of it.

Re:Full Location

I spend an hour on the phone w/ Time Warner when i refused to give them my SSN. They said it was for a credit check, and I told them I wasn't requesting credit. For an hour.. They finally gave in.

The reason they want it is that they store all of your web activity URL's for 90 days and when the gov't requests your information they use the SSN to match to their watchlist.

Bam! you just lost more of your privacy...

Re:Full Location

[Richard_at_work]

It sounds like the US credit checking system is broken then - I don't need to supply the British equivalent (NI Number) when applying for credit, nor do I need to apply for credit to sign up for cable or satellite TV...

Rather than simply accepting the broken system, you might want to think about how it should be changed.

Re:Full Location

Thought about it a long time. Have you attempted to get useful things accomplished in the US house/Senate? It happens, but on politicized issues only. Additionally any fix would be stomped out by the cable lobbyists before a bill would hit the floor.

Re:Full Location

They collect DOB and SSN in order to ensure your future business, which is often guaraunteed through a multi-year commitment contract, can be used as collaterol on a loan for equipment.

To be frank, if we had a functioning telecom market, this wouldn't be an issue.

Where are the handcuffs?

Re: Full Location

[houghi]

This is how credit works in Belgium. If you open a loan or a credit. It will be mentioned in the National bank. Only credit companiet and banks have access to it. Only the numbers, not company names.
If you did not pay on any of them for three months, no more new credits.
Before you give credit, you willchech if you are allowed.
Look at the maximum cost compared to income. Give people credit and you should not have? No legal way to ask for it back if they stop paying.

Re:Full Location

It may be that the British system exists because of European privacy rules.

Our credit checking company in the Netherlands is not allowed by law to use a perfect identifier for a person, they only use the name and birthdate. In fact I know I have a collision with another person who does not have a good credit. The only thing they are allowed is to add a note that there are two persons that have the same name and birth date.

Re: Full Location

Computers are hard.

Re:Full Location

Many years ago Comcast asked me for my SSN, and I wouldn't give it to them, so no service for me.

A couple years ago, in a different location, Charter did not ask for my SSN - all they cared about was whether I had any outstanding bills with them (which I did not). Service has been excellent, BTW.

So if Charter doesn't need it, why does Comcast? As far as I'm concerned, my SSN is between me and the IRS (and anyone giving me taxable income - employer, bank, etc.). Nobody else, especially not the cable company.

Re:Full Location

[ole_timer]

charter is not an rboc so they have different rules. as many others have said, this determines if have a deposit or not, but it can be over-ridden by manager.

Re:Full Location

who?

Re:Full Location

Agreed. There might not be a master list of 300 million SSNs out there, but I'm sure every single one of those 300 million has been leaked multiple times. Just make it public and reduce the power of that number to nothing.

Re:Full Location

Shaw?

Re:Full Location

[smooth+wombat]

The only thing they are allowed is to add a note that there are two persons that have the same name and birth date.

Well sure, in a country of a few thousand people this works, how about a country with 300+ million people? Do you know how many Matthew/John/Steve Smiths there are in the U.S.? How about Jones? The number of people with the same birthdate and name is probably more than some cities in both the U.S. and Europe.

Re:Full Location

[DethLok]

If I understand the SSN correctly, in Australia the equivalent is the Tax File Number (TFN).

Only an employer, once you're employed, a bank (to deduct tax from any interest you may earn from having money in the bank) and the Tax office are allowed to ask for it. Or store it.

Anyone else asking for it is committing an offence.

TFNs are secret.

Sensationalize much?

Oh, buzzfeed. This site is beginning to worry me.

How is it that 'partial addresses' are leaked?

Is there some powerful security model where the data is split up and kept different places? Or just some ass covering weasel-speak? Anonymous Coward wants to know!

Re:How is it that 'partial addresses' are leaked?

It's not a powerful security model either way, they're giving up the digits if you keep failing. How they backend that fail is a moot point. This is indicative of their overall effort.

Re:How is it that 'partial addresses' are leaked?

[ShanghaiBill]

Parts of the addresses were converted to asterisks. This is explained in the summary.

no reason to believe

has no reason to believe that the flaws were ever exploited

Did you mean: Unable to tell if the flaws were ever exploited?

Requiring social security numbers for everything?

Huh!?

Re:Better question yet, dumbass Bill

I envision a world, a brave world, brimming with life, awash with wonder and excitement.

Then I open my eyes..

Hard to reduce web foot print

Lot of companies still collect and keep too much sensitive information on customers. Just too bad everyone adopted the SS number as the means of identification for credit checks. Yes some stuff was not completely exposed but these days its not hard to fill in the blanks from other sources.

Why are SSN's available to an internet-facing app?

[QuietLagoon]

If you're going to put up a web-facing app, you should give that app access only to the data it needs. Why is a subscriber's SSN required for the app in question here?

Need consequences with teeth

[sjbe]

A security flaw in the Comcast Xfinity online portal exposed social security numbers and partial home addresses of more than 26.5 million subscribers

So my beef with this isn't that a security flaw happened. I expect that to happen from time to time even though I think the consequences for it aren't nearly severe enough currently. The problem I have is that Comcast is storing Social Security Numbers in the first place. They have absolutely zero need to store this information. Yes I'm aware that lots of companies do it and for the most part they don't need it either. But let's ignore that and say they do need/want to store my SSN. Then there should be consequences with serious teeth for security failures regarding sensitive information about me. We have these leaks in part because there are effectively zero consequences for mismanagement of sensitive customer data. The companies simply don't have to care very much. Failure to keep this data secure should result in heavy fines and odious government oversight. It should be ugly enough to make them think seriously about what data they really ought to be storing and how they go about it and what best practices to use. Companies that act responsibly should be free to go about their business but those that can't or won't handle sensitive data responsibly should be very afraid.

Re: Need consequences with teeth

Iâ(TM)ve designed platforms that had to be compliant with HIPAA and PCI regulations. One of those requirements is that any personally identifying information that is at rest must be encrypted. That so many accounts were compromised must mean this information was not encrypted, or the level of encryption was so basic that it might as well not have been.

Best practice is to assume that bad actors have already penetrated your security. There should never be a repository larger than the data currently in process that is vulnerable. Never.

Re: Need consequences with teeth

[FictionPimp]

Encryption at rest means nothing if the actual mechanism to get to the data isn't secure.

I can encrypt everything at rest, but I could also forget to verify credentials on the system that has the rights to decrypt....

Re: Need consequences with teeth

[fedos]

We need a HIPAA for consumer finance.

How SSNs are used is the problem

[sjbe]

Better question: Why do we pretend that SSNs are "secret"?

Lot's of data is technically public that you really don't want to be made more available than necessary. Identity theft is a serious problem and given how casually SSN's are handled and how they are used for authentication (even when they shouldn't be) giving a lookup table for them is a terrible idea currently.

They are already semi-public, and generally used as a "citizenship number".

That doesn't make it a good idea or desirable. It's certainly at odds with a lot of privacy considerations.

Why not just go all the way, and make SSNs fully public?

Because you have to change a lot of other infrastructure and business practices to make that a practical idea. In principle you are right and it shouldn't matter but because of how the darn things are actually used it is a terrible idea currently.

If companies want something for authentication, they would have to use something sensible instead.

Hahahahahahaaa... Oh wait, you're serious... Umm, yeah I have ZERO faith that would happen given how poorly they handle them now.

comcast open wifi network the backs on your link

[Joe_Dragon]

comcast open wifi network the backs on your link is also there as well.

So people without logins can be validated.

So people without logins can be validated.

This is a common practice by utilities, health providers, and govts.
They want people trying to pay not to have trouble. Most people know their address and SSN, but not their account numbers.

Until there is a law that makes asking/using SSN for anything that isn't tax related, it won't stop. In the USA, SSN is commonly used for credit checks, which is why utilities demand one. They won't provide service to any location without either a credit check or huge pre-service cash payment.

I tried to get phone service without providing my SSN last move. They said I could stop by one of their offices and make a pre-payment. I don't remember the amount now, but it was over 5x a monthly bill.

Re:So people without logins can be validated.

[QuietLagoon]

... So people without logins can be validated. ...

So, convenience instead of security. I would have thought Comcast knew better.

Buzzfeed

Who cites buzzfeed... Saw those words and immediately stopped reading.

How comforting

[TimeElf1]

we have no reason to believe these vulnerabilities were ever used against Comcast customers
That's not a no, I'd like a actual no actual customers were harmed with these exploits. Is that to much to ask?

SSNs are not unique per person

[sjbe]

I'm not trying to imply that the SSN is a secret. I'm implying that it's UNIQUE.

Social Security Numbers are NOT unique per person. not even close. People have more than one (often for legitimate reasons) and many numbers are used for more than one person (usually for identity theft). We're talking tens of millions of people here. We tend to think of them as unique identifiers in the sense of a primary key but in reality they definitely are not reliable in that capacity and never have been.

It's far better if you never accept the linkage in the first place because, once you've given a piece of information away, you've completely lost control of it.

Quite so.

Re:SSNs are not unique per person

[Known+Nutter]

We're talking tens of millions of people here. We tend to think of them as unique identifiers in the sense of a primary key but in reality they definitely are not reliable in that capacity and never have been.

They are reliable enough as a unique identifier for the purposes of attempting identify theft, which was the parent poster's point. Unique enough as a primary key in some national database, okay perhaps not. But the identity thief does not require that level of accuracy to be successful -- and the IRS has no problem treating them as a unique identifier.

Federal regulations for sensitive data

If a company handles customer SSNs, they should be required to meet a federally mandated security requirement for handling sensitive data.
An obvious requirement would be to disallow login spams.
I don't see why Google doesn't use a webcrawler to look for sites that can be login spammed and blacklist them.
The fact that such a flaw still exists in 2018 at a major company is astonishing.
Companies should lose money in proportion to the damage as well as in proportion to the obviousness of the mistake.

Re:Why are SSN's available to an internet-facing a

[Quince+alPillan]

For verification that the user is who they say they are and they're authorized to make changes to the account. This is their sales portal, so they'll verify the user's information first.

Re:Why are SSN's available to an internet-facing a

[dknj]

Why is a subscriber's SSN required, period? Okay I can understand to protect against bad apples. But why do you need my SSN for the future when my payment history is all the credit history you need?

Because they are selling your data and your SSN is a great choice for a primary key. This is the user's fault. If you think a $250 deposit costs more than your security is worth, then by all means don't stop giving out your SSN

-dk

Re:Why are SSN's available to an internet-facing a

[QuietLagoon]

...For verification that the user is who they say they are and they're authorized to make changes to the account. ...

Why does the app have access to the SSN? Why not, e.g., hash what the customer enters and compare the hashes? Why not, e.g., send the entered SSN off to a different server that does not have internet access and is more secure?

Encryption does not equal secure

[sjbe]

One of those requirements is that any personally identifying information that is at rest must be encrypted.

That gets routinely and roundly ignored. I've worked in hospital systems and my wife is a doctor. And in most cases nothing really ever comes of it and there are minimal to zero consequences to the organizations that fail to maintain adequate infosec. Plus just because something is encrypted to comply with a statute doesn't mean it is actually secure. That is why you need to have legal consequences with actual teeth to ensure an adequate level of effort is expended to keep data secure and to incentivize companies to not store data that isn't truly critical.

funny thing about comcast's security

[sakono]

I have for the 3 years gotten emails sent to my yahoo email address, from comcast that were sent to a another comcast email. my yahoo email is no where in comcast's systems and the comcast customer I'm geeting's emails lives on the other side of the state. we don't know each other. Comcast also has no idea why i'm getting copies of this persons emails and I've talked to their security department twice about this and still no fix. The last time they rebuilt his whole email on their system...I still get emails though. So this isn't really surprising honestly.

Re:Why are SSN's available to an internet-facing a

[barbariccow]

Because it's not your "social security password" so why would you salt and hash like a password? That's the thinking (or lack thereof) behind it I assume. If we called it a "social security password" maybe braindead developers would recognize it's sensitive and store a randomly-salted hash. But hell, most of them don't even do that and passwords are exposed. It's all this outsourced development in node js and ruby on snails which prevents actual intelligent people from architecting it properly. As long as they have their scrum degree who cares about skill? Someone with 1 year experience who can "do everything" is hired over us 20-year experience folks who really can do most things in order to "save a couple bucks." I personally think they lose out in the long run with way increased development time and constant bugfixes being required and whatnot, but on paper it saves money in the short term. You know what that means! Big bonuses to big wigs! Yay

Re:comcast open wifi network the backs on your lin

[ole_timer]

...just logon to router and turn it off...

Re:comcast open wifi network the backs on your lin

[Joe_Dragon]

and Comcast has a way of making that turn back on from time to time.

Re:comcast open wifi network the backs on your lin

[ole_timer]

...not mine...

Meh

[fedos]

Our social security numbers have already been leaked by half a dozen negligent organizations.

Re:Why are SSN's available to an internet-facing a

[QuietLagoon]

...Because it's not your "social security password" so why would you salt and hash like a password? ...

I never said it was a password. .

...That's the thinking (or lack thereof) behind it I assume....,

You shouldn't dis someone when you make incorrect assumptions.

Re:Why are SSN's available to an internet-facing a

[suutar]

He seemed to me to be dissing stupid developers who assume that if the field isn't named "password" then it doesn't matter if it's exposed.

Re:Why are SSN's available to an internet-facing a

The problem isn't how developers store SSNs, the problem is that they're used in a similar manner to passwords anywhere at all. They should be considered exactly as confidential as a person's name.

CenturyLink

CenturyLink asks for an SSN just to email customer service. See https://www.centurylink.com/ho...

Give this time and learn the real numbers later...

[jbn-o]

...or learn something closer to the real numbers later. As I pointed out earlier these stories follow a pattern and part of that pattern is to lowball the first press release of the number of adversely affected parties. Comcast will likely join the ranks of Equifax, Yahoo, and Hyatt.

Re: comcast open wifi network the backs on your li

I have a hunch that net is vulnerable to portal evasion. Call it more than hunch.