Comcast Security Flaw Exposes Partial Addresses, Social Security Numbers of 26 Million Users

olsmeister writes: A security flaw in the Comcast Xfinity online portal exposed social security numbers and partial home addresses of more than 26.5 million subscribers, according to security researcher Ryan Stevenson. Comcast says the flaws have already been patched and that it currently has no reason to believe that the flaws were ever exploited. BuzzFeed reports of the two vulnerabilities: One of the flaws could be exploited by going to an "in-home authentication" page where customers can pay their bills without signing in. The portal asked customers to verify their account by choosing from one of four partial home addresses it suggested, if the device was (or seemed like it was) connected to the customer's home network. If a hacker obtained a customer's IP address and spoofed Comcast using an "X-forwarded-for" technique, they could repeatedly refresh this login page to reveal the customer's location. That's because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same. Eventually, the page would show the first digit of the street number and first three letters of the correct street name, while asterisks hid the remaining characters. A hacker could then use IP lookup websites to determine the city, state, and postal code of the partial address.

In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast's Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers' Social Security numbers. Armed with just a customer's billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer's Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form. After learning of these vulnerabilities, Comcast disabled in-home authentication and put a strict rate limit on the portal. Here's what a Comcast spokesperson had to say about the matter: "We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."

Need consequences with teeth

[sjbe]

A security flaw in the Comcast Xfinity online portal exposed social security numbers and partial home addresses of more than 26.5 million subscribers

So my beef with this isn't that a security flaw happened. I expect that to happen from time to time even though I think the consequences for it aren't nearly severe enough currently. The problem I have is that Comcast is storing Social Security Numbers in the first place. They have absolutely zero need to store this information. Yes I'm aware that lots of companies do it and for the most part they don't need it either. But let's ignore that and say they do need/want to store my SSN. Then there should be consequences with serious teeth for security failures regarding sensitive information about me. We have these leaks in part because there are effectively zero consequences for mismanagement of sensitive customer data. The companies simply don't have to care very much. Failure to keep this data secure should result in heavy fines and odious government oversight. It should be ugly enough to make them think seriously about what data they really ought to be storing and how they go about it and what best practices to use. Companies that act responsibly should be free to go about their business but those that can't or won't handle sensitive data responsibly should be very afraid.