The partial home addresses and social security numbers of more than 26.5 million customers of Comcast Xfinity were exposed due to the company’s shoddy security.
A report by BuzzFeed News revealed that a vulnerability was discovered within the online customer portal of the high-speed internet service provider. Ryan Stevenson, a security researcher was the individual who discovered the issue. Apparently, this vulnerability could essentially let unauthorized parties determine customers’ partial home addresses.
The “in-home authentication” page where customers can access their Comcast bills without having to actually log into their accounts was where the flaw was uncovered.
The purpose of in-home authentication (aka IP authentication, HBA, or Home-based Authentication) is to decrease the amount of requested password resets and to decrease the amount of friction for Xfinity customers trying to access their accounts.
On the webpage, a list of four partial addresses is displayed and customers are requested to select their home address from that list in order to verify their accounts. When the right address is selected, the user gains access to their Xfinity billing account.
The correct address of a webpage visitor is determined by the user’s IP address. Stevenson was essentially able to alter the X-Forwarded-For header in Xfinity’s request, thereby tricking the company by spoofing a customer’s home address.
Then, with repeated refreshing of the log-in page, three of the partial addresses suggested by Comcast would actually change, and the only one that stayed the same would be the correct one—the one that belongs to the targeted user.
Now, a hacker would have access to the first digit and first three letters of the Xfinity customer’s home address. They could then possibly use an IP lookup website to uncover the Comcast customer’s state, city and zip code from that partial address data, according to BuzzFeed News.
Please leave comments on this article below