Comcast has been leaking your Xfinity Wifi password for some time now
Comcast, what the actual fuck?
ZDNet has discovered that a bug on a Comcast website has been leaking customer data.
The site, which has since been updated to remove the bug, was designed to activate Xfinity routers. The bug could allow hackers to gain personal information, including the home address where the router is located, as well as the Wi-Fi name and password. Two security researchers, Karan Saini and Ryan Stevenson, found the bug.
According to ZDNet, the Comcast website returned Wi-Fi names and passwords in plaintext. To find this information, a hacker only needed a customer account ID and that customer’s house or apartment number.
That information could be grabbed from a discarded bill or obtained from an email. In any case, a determined attacker could simply guess the house or apartment number.
The researchers determined the bug returned data even if the Xfinity Wi-Fi was already switched on. It also occurred after passwords have been changed.
Even when the Wi-Fi password changes, running the details again will return the new Wi-Fi password. There appears to be no way for customers to opt out when using Xfinity hardware.
It’s also possible to rename Wi-Fi network names and passwords, temporarily locking users out.
Although it’s not believed the sensitive data can be used to access the router’s settings, an attacker could use the information to access the Wi-Fi network within its range. On the network, an attacker could read unencrypted traffic from other users on the network.
After ZDNet published its findings, Comcast removed the option from its website, concluding:
There’s nothing more important than our customers’ security. Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.
It’s been a busy time for data breaches and leaks.
Earlier this week, ZDNet discovered the TeenSafe app was leaking personal information. Just a few weeks ago, Grayshift, a company that unlocks iPhones for police, was hit. Two months ago, Under Armour announced 150 million MyFitnessPal users might have had personal information compromised. Before that, it was Panera Bread.
If you’re a Comcast customer, how do you feel about the company exposing your information like this? Let us know your thoughts down below.