It is yet another case of another data leak. This time, it affects Comcast’s Xfinity’s customers.
Being a hacker must be one of the worlds easiest jobs. All you have to do is wait for corporations or governmental organizations to practically hand you their information. While that isn’t exactly true, the truth just doesn’t seem that far off these days. If the news in the last week is anything to go by, one question might be “what security?”
The latest data leak has happened with America’s most favourite company in the entire county, Comcast.
Earlier this week, security researchers discovered that if you are an Xfinity customer, all you need is a customers account ID and apartment or street number. Both are pieces of information that can be obtained from a customers bill.
From there, the attacker can input both pieces of information onto the Xfinity website. From there, information such as an address, username, password, and other pieces of information can be obtained. Doesn’t take a whole lot of thought as to what someone with nefarious intentions can do with that.
ZDNet tested this alleged security vulnerability and were able to replicate the results:
ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code — which both customers confirmed.
The site returned the Wi-Fi name and password — in plaintext — used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router — and the site didn’t return the Wi-Fi network name or password.
The bug returns data even if the Xfinity Wi-Fi is already switched on.
Even when the Wi-Fi password changes, running the details again will return the new Wi-Fi password. There appears to be no way for customers to opt out when using Xfinity hardware.
So, it seems that if you are renting a router, then you are even more vulnerable.
Since the story broke, Comcast made adjustments to the site to remove this vulnerability.
In any event, this latest incident is the latest to embarrass the company which has a long history of customer dissatisfaction.
What’s more, it is also the latest security incident this month that we’ve been able to track. May is becoming an incredibly busy month for these.
The month started off relatively quiet, but came roaring in with a data breach that affected 34.5 million Aadhaar users. Shortly after, Chili’s suffered a data breach with an unknown number of credit cards being compromised. The University of Cambridge suffered its own data leak, affecting 3 million Facebook users. Things continued to become more and more brutal with the data leak found on LocationSmart, affecting potentially any American’s geolocation information on a major carrier. Los Angeles County’s 211 crises and abuse hotline joined the party as 3.2 million records were exposed in their own data leak. Finally, controversial app TeenSafe suffered its own data leak.
If you are following security incidences, May just seems to be the gift that keeps on giving if you can call it that.
Drew Wilson on Twitter: @icecube85 and Google+.
