Community Forum

Security flaw found

Xfinity Forum Archive
About the archive project

Xfinity Forum Archive...

This is an archived section of the community.

Content in this area has been identified as outdated or irrelevant.

This change was done in an effort to make the forum easier to use and to keep only the most helpful and recent content active.

Post your questions in the Xfinity Community

Frequent Visitor

Security flaw found

I think its easier to just say a scenario and then explain it.  This flaw has to do with login's for the x1 dvr website and app, and watching live tv on a device while on home network.

 

Say I have 2 computers and 1 ipad.  I login on 1 computer to xtv.comcast.net to watch my dvr. I download xfinity tv on my ipad to watch my dvr.  Everything works fine.

 

I then go to my 2nd computer and log into xfinity and change my password to my account.  Even after changing my password, all those devices that had logged in will stay logged in.  I have tested it and after a week, on my ipad and my first computer I was still able to go in and look at my DVR and watch live tv (on my network).  But if I log out, and then try to log in using the old login, it doesn't work.

 

SO it seems that using the X1 streaming tv and DVR only validates the log in when you FIRST log in and then at no other time.  Meaning on whatever device you ever give that login information, it will STAY logged in unless that owner ever hits logged out.  So if your account gets hacked, or if you lose a computer/ipad/tablet etc, and change your xfinity password, ALL those devices will still have access.  Comcast needs to fix this to where it validates log in credentials every time! Like I said I gave it a week on my ipad and it still opened up fine even though it was using old log in credentials.

Regular Contributor

Re: Security flaw found

I believe what you're saying is that any currently logged in user in the Cloud DVR doesn't get logged out immediately after that user's Comcast account password is changed. The existing sessions are kept alive until timeout or logout. Probably not a security flaw per se, but you may be requesting them to change the timeout period or cause immediate logout of other devices upon password change.
Highlighted
Frequent Visitor

Re: Security flaw found

By my definition of a security flaw, any device that is logged in under credentials X but those credentials then become invalid, those devices should no longer have access.  So yes, it is a security flaw, because you do in fact have to enter a user name and password, thus making it a secure login.  If that login is compromised by this flaw, then yes, it is a security flaw.

 

Masters degree in cyber security policy.