I think its easier to just say a scenario and then explain it. This flaw has to do with login's for the x1 dvr website and app, and watching live tv on a device while on home network.
Say I have 2 computers and 1 ipad. I login on 1 computer to xtv.comcast.net to watch my dvr. I download xfinity tv on my ipad to watch my dvr. Everything works fine.
I then go to my 2nd computer and log into xfinity and change my password to my account. Even after changing my password, all those devices that had logged in will stay logged in. I have tested it and after a week, on my ipad and my first computer I was still able to go in and look at my DVR and watch live tv (on my network). But if I log out, and then try to log in using the old login, it doesn't work.
SO it seems that using the X1 streaming tv and DVR only validates the log in when you FIRST log in and then at no other time. Meaning on whatever device you ever give that login information, it will STAY logged in unless that owner ever hits logged out. So if your account gets hacked, or if you lose a computer/ipad/tablet etc, and change your xfinity password, ALL those devices will still have access. Comcast needs to fix this to where it validates log in credentials every time! Like I said I gave it a week on my ipad and it still opened up fine even though it was using old log in credentials.
By my definition of a security flaw, any device that is logged in under credentials X but those credentials then become invalid, those devices should no longer have access. So yes, it is a security flaw, because you do in fact have to enter a user name and password, thus making it a secure login. If that login is compromised by this flaw, then yes, it is a security flaw.
Masters degree in cyber security policy.