Welcome to Comcast Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,805,877

members

66

online now

1,952,179

discussions

Top

Security flaw found

Frequent Visitor

Security flaw found

I think its easier to just say a scenario and then explain it.  This flaw has to do with login's for the x1 dvr website and app, and watching live tv on a device while on home network.

 

Say I have 2 computers and 1 ipad.  I login on 1 computer to xtv.comcast.net to watch my dvr. I download xfinity tv on my ipad to watch my dvr.  Everything works fine.

 

I then go to my 2nd computer and log into xfinity and change my password to my account.  Even after changing my password, all those devices that had logged in will stay logged in.  I have tested it and after a week, on my ipad and my first computer I was still able to go in and look at my DVR and watch live tv (on my network).  But if I log out, and then try to log in using the old login, it doesn't work.

 

SO it seems that using the X1 streaming tv and DVR only validates the log in when you FIRST log in and then at no other time.  Meaning on whatever device you ever give that login information, it will STAY logged in unless that owner ever hits logged out.  So if your account gets hacked, or if you lose a computer/ipad/tablet etc, and change your xfinity password, ALL those devices will still have access.  Comcast needs to fix this to where it validates log in credentials every time! Like I said I gave it a week on my ipad and it still opened up fine even though it was using old log in credentials.

Regular Contributor

Re: Security flaw found

I believe what you're saying is that any currently logged in user in the Cloud DVR doesn't get logged out immediately after that user's Comcast account password is changed. The existing sessions are kept alive until timeout or logout. Probably not a security flaw per se, but you may be requesting them to change the timeout period or cause immediate logout of other devices upon password change.
Frequent Visitor

Re: Security flaw found

By my definition of a security flaw, any device that is logged in under credentials X but those credentials then become invalid, those devices should no longer have access.  So yes, it is a security flaw, because you do in fact have to enter a user name and password, thus making it a secure login.  If that login is compromised by this flaw, then yes, it is a security flaw.

 

Masters degree in cyber security policy.

Discussion stats
  • 2 replies
  • 536 views
  • 2 kudos
  • 2 in conversation