Welcome to Comcast Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,808,453

members

54

online now

1,954,266

discussions

Top

Xfinity TV App Password Security Flaw

ANSWERED
Visitor

Xfinity TV App Password Security Flaw

I was contacted a few weeks ago my Comcast's security department notifying me that my Xfinity username and password information was apparently hacked and posted without my permssion on a forum at sinfuliphone.com.

 

I obviously didn't authorize this, and I contacted that website to remove my information they illegally obtained, and they complied with my request to remove it. 

 

Prior to being notified by Comcast's security team, I had already called customer service inquiring about why random recordings were showing up on my DVR that my wife and I had not set to record. Someone also added HBO to my account without my permission. 

 

Anyway, I changed my login and password on Xfinity's site in late November and have since changed it 3 additional times because DVR recordings continue to show up that we didn't set, and the "recently watched" section of the Xfinity TV App has something new on it every day that we have not watched.

 

That's when I suspected, and have since verified through the app with multiple devices, that changing my account password does not require it to be reentered on the Xfinity TV app. This significant security flaw has apparently existed for a while, as I noticed this other Xfinity forum post from May 2015 detailing the same issue (http://forums.xfinity.com/t5/Xfinity-TV-Website/Security-flaw-found/m-p/2530421#M51273).

 

The multiple people that logged into the Xfinity TV App using my login info that was posted without my permission are still able to access my Xfinity account through the app, as well as my DVR recordings and scheduled recordings, because the app does not require that they reenter username and password after they have changed.

 

I've attached 2 screenshots where I've noticed other unauthorized devices signed into my account. The "manage devices" section of the app seems completely pointless if I'm unable to delete these other devices logged into my account.

 

It's beyond my comprehension that this security issue exists with Xfinity, especially since there is a dedicated security team assigned to scour the internet and discover that my information was posted online in the first place. 

 

I'm not aware of any other app or website that allows me to remain signed in with an old password once it has been changed. 

 

Please advise how this serious problem can be resolved.

 

Thanks!

Accepted Solution

Re: Xfinity TV App Password Security Flaw


Byrd4LSU wrote:

I was contacted a few weeks ago my Comcast's security department notifying me that my Xfinity username and password information was apparently hacked and posted without my permssion on a forum at sinfuliphone.com.

 

I obviously didn't authorize this, and I contacted that website to remove my information they illegally obtained, and they complied with my request to remove it. 

 

Prior to being notified by Comcast's security team, I had already called customer service inquiring about why random recordings were showing up on my DVR that my wife and I had not set to record. Someone also added HBO to my account without my permission. 

 

Anyway, I changed my login and password on Xfinity's site in late November and have since changed it 3 additional times because DVR recordings continue to show up that we didn't set, and the "recently watched" section of the Xfinity TV App has something new on it every day that we have not watched.

 

That's when I suspected, and have since verified through the app with multiple devices, that changing my account password does not require it to be reentered on the Xfinity TV app. This significant security flaw has apparently existed for a while, as I noticed this other Xfinity forum post from May 2015 detailing the same issue (http://forums.xfinity.com/t5/Xfinity-TV-Website/Security-flaw-found/m-p/2530421#M51273).

 

The multiple people that logged into the Xfinity TV App using my login info that was posted without my permission are still able to access my Xfinity account through the app, as well as my DVR recordings and scheduled recordings, because the app does not require that they reenter username and password after they have changed.

 

I've attached 2 screenshots where I've noticed other unauthorized devices signed into my account. The "manage devices" section of the app seems completely pointless if I'm unable to delete these other devices logged into my account.

 

It's beyond my comprehension that this security issue exists with Xfinity, especially since there is a dedicated security team assigned to scour the internet and discover that my information was posted online in the first place. 

 

I'm not aware of any other app or website that allows me to remain signed in with an old password once it has been changed. 

 

Please advise how this serious problem can be resolved.

 

Thanks!


I'm very sorry you and your wife have had to go through this experience - it must be very frustrating! I've removed all devices from your account so the unwanted guests have been kicked to the curb (i.e. They will be asked for a password the next time they attempt to use the app or website). 

 

If this ever comes up again (for you or anyone else reading this), call 800-XFINITY and ask to speak to Tier 2 (or higher) technical support who can use an internal tool called "X-Ray" to "deprovision your devices".  The frontline customer service agents don't have access to this tool. 

 

I'll also discuss with the technical team about the ability to make this capability customer-facing. As you pointed out, currently the "Manage Devices" section only allows for removal of downloads but not full removal of devices.

 

Best,

CocmastDan

View answer in context
IMG_5983.PNG
IMG_5984.PNG
Official Employee

Re: Xfinity TV App Password Security Flaw


Byrd4LSU wrote:

I was contacted a few weeks ago my Comcast's security department notifying me that my Xfinity username and password information was apparently hacked and posted without my permssion on a forum at sinfuliphone.com.

 

I obviously didn't authorize this, and I contacted that website to remove my information they illegally obtained, and they complied with my request to remove it. 

 

Prior to being notified by Comcast's security team, I had already called customer service inquiring about why random recordings were showing up on my DVR that my wife and I had not set to record. Someone also added HBO to my account without my permission. 

 

Anyway, I changed my login and password on Xfinity's site in late November and have since changed it 3 additional times because DVR recordings continue to show up that we didn't set, and the "recently watched" section of the Xfinity TV App has something new on it every day that we have not watched.

 

That's when I suspected, and have since verified through the app with multiple devices, that changing my account password does not require it to be reentered on the Xfinity TV app. This significant security flaw has apparently existed for a while, as I noticed this other Xfinity forum post from May 2015 detailing the same issue (http://forums.xfinity.com/t5/Xfinity-TV-Website/Security-flaw-found/m-p/2530421#M51273).

 

The multiple people that logged into the Xfinity TV App using my login info that was posted without my permission are still able to access my Xfinity account through the app, as well as my DVR recordings and scheduled recordings, because the app does not require that they reenter username and password after they have changed.

 

I've attached 2 screenshots where I've noticed other unauthorized devices signed into my account. The "manage devices" section of the app seems completely pointless if I'm unable to delete these other devices logged into my account.

 

It's beyond my comprehension that this security issue exists with Xfinity, especially since there is a dedicated security team assigned to scour the internet and discover that my information was posted online in the first place. 

 

I'm not aware of any other app or website that allows me to remain signed in with an old password once it has been changed. 

 

Please advise how this serious problem can be resolved.

 

Thanks!


I'm very sorry you and your wife have had to go through this experience - it must be very frustrating! I've removed all devices from your account so the unwanted guests have been kicked to the curb (i.e. They will be asked for a password the next time they attempt to use the app or website). 

 

If this ever comes up again (for you or anyone else reading this), call 800-XFINITY and ask to speak to Tier 2 (or higher) technical support who can use an internal tool called "X-Ray" to "deprovision your devices".  The frontline customer service agents don't have access to this tool. 

 

I'll also discuss with the technical team about the ability to make this capability customer-facing. As you pointed out, currently the "Manage Devices" section only allows for removal of downloads but not full removal of devices.

 

Best,

CocmastDan




Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark it as a solution!solution Icon
Visitor

Re: Xfinity TV App Password Security Flaw

Thank you very much for resolving this issue! I don't know what level of technical support I spoke with on the phone, but they certainly didn't mention being able to resolve this issue so simply.

 

Thanks again for your prompt response & resolution!

Official Employee

Re: Xfinity TV App Password Security Flaw


Byrd4LSU wrote:

Thank you very much for resolving this issue! I don't know what level of technical support I spoke with on the phone, but they certainly didn't mention being able to resolve this issue so simply.

 

Thanks again for your prompt response & resolution!


You're welcome, I'm happy to help. Happy New Year to you and your family!




Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark it as a solution!solution Icon
Service Expert

Re: Xfinity TV App Password Security Flaw

 

Solved Topic now Closed.




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Discussion stats
  • 4 replies
  • 1253 views
  • 4 kudos
  • 3 in conversation