Xfinity Forum Archive...
This is an archived section of the community.
Content in this area has been identified as outdated or irrelevant.
This change was done in an effort to make the forum easier to use and to keep only the most helpful and recent content active.
Post your questions in the Xfinity Community
I think its easier to just say a scenario and then explain it. This flaw has to do with login's for the x1 dvr website and app, and watching live tv on a device while on home network.
Say I have 2 computers and 1 ipad. I login on 1 computer to xtv.comcast.net to watch my dvr. I download xfinity tv on my ipad to watch my dvr. Everything works fine.
I then go to my 2nd computer and log into xfinity and change my password to my account. Even after changing my password, all those devices that had logged in will stay logged in. I have tested it and after a week, on my ipad and my first computer I was still able to go in and look at my DVR and watch live tv (on my network). But if I log out, and then try to log in using the old login, it doesn't work.
SO it seems that using the X1 streaming tv and DVR only validates the log in when you FIRST log in and then at no other time. Meaning on whatever device you ever give that login information, it will STAY logged in unless that owner ever hits logged out. So if your account gets hacked, or if you lose a computer/ipad/tablet etc, and change your xfinity password, ALL those devices will still have access. Comcast needs to fix this to where it validates log in credentials every time! Like I said I gave it a week on my ipad and it still opened up fine even though it was using old log in credentials.
By my definition of a security flaw, any device that is logged in under credentials X but those credentials then become invalid, those devices should no longer have access. So yes, it is a security flaw, because you do in fact have to enter a user name and password, thus making it a secure login. If that login is compromised by this flaw, then yes, it is a security flaw.
Masters degree in cyber security policy.