Comcast security flaws exposed customers' personal info

The company quickly resolved the problems in its Xfinity customer software.

Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture, Video Games, Breaking News
Sean Keane
2 min read

Comcast Xfinity customers' data was reportedly vulnerable due to flaws its online software.

/ Getty Images

Security flaws in Comcast Xfinity customer software reportedly exposed customers' partial home addresses and Social Security numbers.

Security researcher Ryan Stevenson found that two vulnerabilities in the internet service provider's online portal for its more than 26.5 million customers left the data open to hackers, according to Buzzfeed.

Comcast patched the vulnerabilities after BuzzFeed News reported the findings.

"We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers," a company spokesperson said.

"We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."

The best PCs for privacy-minded people

See all photos

One flaw was found on Xfinity's in-home authentication page, which allowed customers to pay bills without signing in after proving their identity using a partial home address. Hackers could spoof a customer's IP address and refresh the page, allowing them to figure out the partial address as that one would stay through each refresh.

Comcast disabled in-home authentication after learning of this. You'll need to manually enter your personal information to verify an account.

The other vulnerability lay in the Comcast Authorized Dealers sign-up page. If a hacker that had a customer's billing address brute-forced it -- by trying random four-digit combinations until they happened on the right one -- they could get digits of the customer's Social Security numbers.

The brute-force method was possible because Comcast didn't limit the number of sign-in attempts, but has added a strict rate limit.

Comcast hasn't gotten any reports to suggest that the flaws were used to compromise user data, our sister site ZDNet notes.

Watch this: Brave browser gets more private with Tor

Comcast confirms major Xfinity outage nationwide: For a minute there, it looked like the whole internet was down.

Google doesn't want you to have to think about cybersecurity: You don't think about blinking or breathing, do you?