Welcome to Xfinity Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,873,489

members

1,246

online

28,983

topics

Top

Bug in Xfinity Leaking Personal Customer Information

Frequent Visitor

Bug in Xfinity Leaking Personal Customer Information

ZdNet just reported two researchers have accessed Xfinity customers personal information, using a bug they discovered in the Xfinity web site.  Comcast refused to admit that the bug exists, leaving all of us customers in the dark.  Here are key excerpts from the ZdNet report:

 

"A customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address. That information could be grabbed from a discarded bill or obtained from an email. In any case, a determined attacker could simply guess the house or apartment number.

 
"The bug returns data even if the Xfinity Wi-Fi is already switched on.  Even when the Wi-Fi password changes, running the details again will return the new Wi-Fi password. There appears to be no way for customers to opt out when using Xfinity hardware.
 
"It's also possible to rename Wi-Fi network names and passwords, temporarily locking users out.
An attacker could use the information to access the Wi-Fi network within its range. On the network, an attacker could read unencrypted traffic from other users on the network.  Comcast, when contacted prior to publication, did not comment."
 
Anybody heard about this?
Tags (1)
Email Expert

Re: Bug in Xfinity Leaking Personal Customer Information

What two researchers?  From where?  What is your source for this claim?  A cursory search of ZDnet brings up nothing about any such "bug".




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark an Answer!solution Icon

Bronze Problem Solver

Re: Bug in Xfinity Leaking Personal Customer Information

Contributor
Security Expert

Re: Bug in Xfinity Leaking Personal Customer Information

Well, at least it does not affect everyone of Comcst's customers:

 

This only affects people who use a router provided by Xfinity/Comcast,

 

 I have escalated this topic to Comcast requesting a response.

 

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark an Answer!solution Icon

Cable Expert

Re: Bug in Xfinity Leaking Personal Customer Information

There is a nugget of truth and a bunch of sensational "journalism". The vulnerability is real -- if you have a customer's account number and address, you can then find out their name (which I assume you would know already) and then under the right conditions, you would have access to their home network. It's all academic, there are no documented cases of this actually happening. It should be patched by Comcast, but customers exercising normal security protocols are not in any danger. 




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark an Answer!solution Icon

Official Employee

Re: Bug in Xfinity Leaking Personal Customer Information

Hello all, within hours of learning of this issue, we shut down the ability to log into our equipment activation Web site using an account number and address. Xfinity Internet service can still be activated using one of the other two methods (Mobile Phone Number or Xfinity Username and Password). At no time did the site enable anyone to access customers' personal usernames and passwords, and we have no reason to believe that any account information was accessed. We are conducting a thorough investigation and will take all necessary steps to ensure it does not happen again. We are also reviewing all of our authentication practices to ensure they fully protect the privacy and security of our customers.


Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark a Best Answer!solution Icon

Frequent Visitor

Re: Bug in Xfinity Leaking Personal Customer Information

What about your Router I rent for $11 month 

everyone Comcast Xfinity X1 router made by arriss uses the same exact user namer: ADMIN

and Password: PASSWORD 

and there is NO way to change this big giant hack into my Comcast account

Comcast is just blocking our ability to activate but not protecting my identity or my name, address and perhaps 

Plug and Play and other router features that come on when one activates a new account set by Comcast Xfinity that could

be used by my neighbors that I do not know their name or address and they should not know my name address and maybe my private info. 

WHY can I not change my Password or user name. I want to change my DNS too Comcast uses my DNS to run ADS and invade my privacy. I want to be able to program my DNS, Password and user name myself.

And if I try to buy my own ROUTER Comcast Xfinity X1 does not cooperate and give me a list or I read charges $90 to change your insecure $11 month Router.

AND YOUR wonder why people have negative views toward Comcast / Xfinity / X-1 .    

Problem Solver

Re: Bug in Xfinity Leaking Personal Customer Information

@Betar:
You're perfectly capable of changing the default password on your leased Comcast gateway.
And if you want more control over your network, you're also more than welcome to bridge your gateway with a personal router, like I have. The downside is that your lose access to great features like Xfinity xFi, but I'm willing to live with it.
Seriously, stop with the scaremongering across multiple threads.


<<<< "Sometimes the best way to learn something is by doing it wrong and looking at what you did." - Neil Gaiman >>>>
Connection Expert

Re: Bug in Xfinity Leaking Personal Customer Information


@Betar wrote:

I want to change my DNS too Comcast uses my DNS to run ADS and invade my privacy.     


FWIW, Comcast disabled the Domain Helper feature when DNSSEC was deployed in early January 2012. 




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark an Answer!solution Icon

Regular Contributor

Comcast Xfinity bug leaked customer home address and Wi-Fi name and password of router

https://www.zdnet.com/article/comcast-bug-leaks-xfinity-home-addresses-wireless-passwords/

 

If they're not selling it, they're giving away your location information.



<--> U.S. Navy Vietnam Era veteran. You're welcome. <-->
Frequent Visitor

Re: Bug in Xfinity Leaking Personal Customer Information

"You're perfectly capable of changing the default password on your leased Comcast gateway. 
And if you want more control over your network, you're also more than welcome to bridge your gateway with a personal router, like I have. The downside is that your lose access to great features like Xfinity xFi, but I'm willing to live with it. 
Seriously, stop with the scaremongering across multiple threads."

 

Dear Dark Angel,

That is called a Faux Pas, since a bridge would require that I continue to spend $11 per month and I would still not be able to change my DNS. It would be superior for my Comcast Xfinity Xfi service if I could use my own Router than bridge their router to my own device. BUT, I read that Comcast Xfinity Xfi uses a common Arris Router but does not cooperate if you would like to own your own router.

In any event, I am extremely worried about my personal information and my security.

Maybe you should calm down?   

So, unfortunately your advice does not help. But thanks it is the thought that counts. 

 

Security Expert

Re: Comcast Xfinity bug leaked customer home address and Wi-Fi name and password of router

Being discussed last couple of days here:

 

https://forums.xfinity.com/t5/Anti-Virus-Software-Internet-Security/Bug-in-Xfinity-Leaking-Personal-...

 

 

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark an Answer!solution Icon

Bronze Problem Solver

Re: Comcast Xfinity bug leaked customer home address and Wi-Fi name and password of router


@L1ngus wrote:

https://www.zdnet.com/article/comcast-bug-leaks-xfinity-home-addresses-wireless-passwords/

 

If they're not selling it, they're giving away your location information.



More info and a statement here:  https://forums.xfinity.com/t5/Anti-Virus-Software-Internet-Security/Bug-in-Xfinity-Leaking-Personal-...

 

Apparently it's been fixed.

Problem Solver

Re: Bug in Xfinity Leaking Personal Customer Information


@Betar wrote:

"You're perfectly capable of changing the default password on your leased Comcast gateway. 
And if you want more control over your network, you're also more than welcome to bridge your gateway with a personal router, like I have. The downside is that your lose access to great features like Xfinity xFi, but I'm willing to live with it. 
Seriously, stop with the scaremongering across multiple threads."

 

Dear Dark Angel,

That is called a Faux Pas, since a bridge would require that I continue to spend $11 per month and I would still not be able to change my DNS. It would be superior for my Comcast Xfinity Xfi service if I could use my own Router than bridge their router to my own device. BUT, I read that Comcast Xfinity Xfi uses a common Arris Router but does not cooperate if you would like to own your own router.

In any event, I am extremely worried about my personal information and my security.

Maybe you should calm down?   

So, unfortunately your advice does not help. But thanks it is the thought that counts. 

 


Then you're not doing it right. I had a leased XB6-A ARRIS TG3482G that I bridged to my ASUS RT-AC68P router, and later on a leased XB6-T Technicolor CGM4140COM that I bridged to a newer ASUS RT-AC88U router, and in both cases I was able to use a different DNS than the Comcast one (including IPV6). 

 

As far as a "common Arris router" that doesn't play well with personal routers, you are perhaps confusing that with the well documented issues of the Pace gateway that AT&T uses for its gigabit fiber service.  

 

You should really be careful of repeating verbatim what you read on the internet and proclaiming it as gospel.... some Nigerian prince might take advantage of that. 

 

Whether or not you want to continue paying the $11/mo fee to Comcast to lease one of their gateways is up to you, and is not related to bridging the gateway to a personal router. Use your own modem if you want to avoid the fee. In fact, I just returned the XB6-T and reactivated my SB8200 + TM722G combo because a Comcast tech visit identified a splitter issue that was causing problems with my signal levels, and the router lets me use link aggregation on my QNAP NAS. 

 

So now I pay no rental fees, plus I have my own network that I can manage on my own, no problems. Try it! 

 

 



<<<< "Sometimes the best way to learn something is by doing it wrong and looking at what you did." - Neil Gaiman >>>>
New Poster

Re: Bug in Xfinity Leaking Personal Customer Information

Yes. I am one of the unlucky ones. When i called comcast this morning the agents knew nothing about this. A couple of days ago comcast had me change my old router for a new one. Yesterday i received a fraud notice from my bank that someone was trying to buy stereo equipment in pennsylvania and electronics from another store. Today they cancelled my card and issued a new one. This card was on the billing page for my comcast account. Comcast has not addressed this to their customers but they need to.
Most Valued Poster

Re: Bug in Xfinity Leaking Personal Customer Information


@lmiller7157 wrote:
Yes. I am one of the unlucky ones. When i called comcast this morning the agents knew nothing about this. A couple of days ago comcast had me change my old router for a new one. Yesterday i received a fraud notice from my bank that someone was trying to buy stereo equipment in pennsylvania and electronics from another store. Today they cancelled my card and issued a new one. This card was on the billing page for my comcast account. Comcast has not addressed this to their customers but they need to.

I am 100% sure what happened to you has zero to do with the FBI router VPN malware warning. It has to do with routers and not accounts or credit card fraud. Having someone try to use a credit or debit card number to buy something happens all the time unfortunately. Its happened to me 3 times. Most recently so store where I shop was compromised by a hacker and the bank called me that they were issuing a new debit card just in case.  They would not tell me which store. All customers of that store had to do get new cards. CC fraud is rampant but just because that particular card of your happens to be on your Comcast acct is a coincidence...I am sure of it.

Special Events
FIFA World Cup 2018 on Xfinity See More
Discussion stats
  • 16 replies
  • 11615 views
  • 6 kudos
  • 13 in conversation