Comcast Routers Are Leaking User Details Including Password Information

XFI technology seen at the Comcast NYC UX Team Shoot at the Comcast NYC UX Studio on March 21, 2017, in New York, NY. (Jeff Fusco/AP Images for Comcast)

Comcast has been part of causing a major security breach by revealing the passwords of its customers on Xfinity-provided wireless routers in the plaintext to the public web. Any user with a subscribers account number and street address number will be served WiFi via the company’s Internet activation service. Security researchers Karan Saini and Ryan Stevenson reported the issue to ZDNet.

  1. You can “activate” an account that’s already active
  2. The data required to do so is minimal and it is not verified via text or email
  3. The wireless name and password are sent over the web in plaintext

The findings suggest that with your account number and street address which can be found on a customer paper bill is enough to find out the WiFi password and SSID of other users. Users who have an Xfinity router and Comcast ISP are currently affected by this since they are synced with the user account and can be changed using an app.

There is no immediate fix currently however Xfinity and Comcast will provide a software update to fix this issue. The most possible case is that Comcast will ask its users to change their passwords. The security researchers however are suggesting users buy another router as it will fix the issue immediately. For now, if you can’t afford a router just make sure your connection is encrypted change your network and WiFi password.

Saini has also discovered the Uber two-factor bypass bug and a flaw in India’s national biometric data. ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code — which both customers confirmed.

Should router manufacturers be doing more to enhance their security within their products?.

Related posts

Apple Addressed Two Zero-Day Flaws In Intel-based Macs

Really Simple Security Plugin Flaw Risks 4+ Million WordPress Websites

Glove Stealer Emerges A New Malware Threat For Browsers