Security & Fraud

Comcast Faces Fallout From Website Bug That Leaked Consumer Data

It looks like a flaw in Comcast’s website used for the activation of Xfinity routers can be exploited to harvest sensitive consumer information.

According to reports, the purpose of the site is to make it easy for customers to set up their home internet without having to wade through a customer service call. It’s a useful service except for the fact that it can apparently be tricked into displaying the home address of wherever the router happens to be. The site can also be forced to cough up a user’s Wi-Fi name and password.

Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug.

For Saini, this is the third big bug he’s caught — previously, he discovered a flaw in Uber’s two-factor authentication system and a flaw in India’s national biometric database.

To make the exploit work, a customer’s account ID and house or apartment number is needed. In an attempt to replicate the hack, the team at ZDNet got permission from two Xfinity customers to attempt an attack on their accounts.

“We were able to obtain their full address and ZIP code, which both customers confirmed,” the publication reported. “The site returned the Wi-Fi name and password — in plain text — used to connect to the network for one of the customers.”

That customer, the article noted, was using an Xfinity-supplied router. The other customer was using his own router, and the exploit did not send back his username and password.

Furthermore, the problem can’t be remedied by changing hardware: When the researchers ran the exploit again, the site returned the reset password. According to reports, there’s no way for consumers to opt out when using Xfinity hardware.

Among other annoyances associated with the breach, attackers can also use the system to change user network names and passwords, thus locking out rightful users. That, however, would be a fast way to alert the rightful owner to an intruder’s presence.

Saini said that for the breach at hand, it will be nearly impossible to enumerate account numbers.

However, the bug doesn’t seem to give attackers access to sensitive data — like the baseline setting of the router. The best a cybercriminal could hope to do is access a Wi-Fi network within range and use it to sneak on and read all unencrypted traffic from other users on the network.

“There’s nothing more important than our customers’ security,” said a Comcast spokesperson. “Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”

The announcement of the breach is ill-timed for Comcast, which is in the process of burnishing its reputation with a retail reset that will create experimental technology experiences for its customers.

The hope for the program has been to forge a stronger relationship with consumers, who in recent years have relegated the brand to the “things people love to hate” pile.

“We’re opening … next to the Apples and Sephoras and Ultas. We want to be where customers shop,” Comcast’s SVP of Retail Sales and Service Tom DeVito said.

Which is not a terrible idea, but if Comcast doesn’t keep consumer data safe, they won’t have a lot of customers left to shop with them.

Comcast has since removed the option from its website.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.