ZdNet just reported two researchers have accessed Xfinity customers personal information, using a bug they discovered in the Xfinity web site. Comcast refused to admit that the bug exists, leaving all of us customers in the dark. Here are key excerpts from the ZdNet report:
"A customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address. That information could be grabbed from a discarded bill or obtained from an email. In any case, a determined attacker could simply guess the house or apartment number.
"The bug returns data even if the Xfinity Wi-Fi is already switched on. Even when the Wi-Fi password changes, running the details again will return the new Wi-Fi password. There appears to be no way for customers to opt out when using Xfinity hardware.
"It's also possible to rename Wi-Fi network names and passwords, temporarily locking users out.
An attacker could use the information to access the Wi-Fi network within its range. On the network, an attacker could read unencrypted traffic from other users on the network. Comcast, when contacted prior to publication, did not comment."
Anybody heard about this?
... View more