Data-stealing bug prompts Comcast to shut down Xfinity activation website

comcast xfinity store
Ken Wolter/123rf

Two security researchers uncovered a bug within Comcast’s online activation portal that revealed a customer’s home address along with the Wi-Fi network name and password in plain text. Within hours of learning of the flaw uncovered by Karan Saini and Ryan Stevenson, Comcast shut down the Xfinity activation site, citing customer security as its top concern.

In order for customers to activate their routers, they have to visit an Xfinity activation website to enter some user information in order to setup their router and service. Saini and Stevenson discovered that even though the website asks for a customer’s full address, just an apartment or house number was needed along with an account ID. Both pieces of information required to gain access to the activation portal could easily be found on a discarded bill.

The activation portal continues to work and return information about the customer and the Wi-Fi network even after the router and home broadband service has been activated.

If a customer is using a Comcast or Xfinity-branded router, then the activation portal continues to return updated network information, so if a customer changes the network name or password, that latest information would be displayed on the activation portal. ZDNet noted that there’s no way for a customer to opt out of this system. For customers using their own router, the publication discovered that the portal doesn’t have access to the Wi-Fi network name and password to display.

On the primary level, the security concern is that customer’s network data and home address isn’t protected by requiring information that’s not readily available through an account statement. Further, once a hacker obtains the network data, they can use it in a malicious manner if they’re within close proximity to the Wi-Fi network. The network ID and password could be used to gain access to unencrypted web traffic that passes through the router. Additionally, hackers can also temporarily lock users out by changing the network name and password once they have access.

Comcast has since disabled this feature on its website to correct the security flaw. “Within hours of learning of this issue, we shut it down,” a Comcast spokesperson told ZDnet. “We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.” In a separate statement to Gizmodo, Comcast noted that it doesn’t believe that any data was improperly accessed as a result of this bug.

News of the bug comes at a time when Comcast is launching its own mesh networking accessory.

Smart Home

After camera hacks, Nest locks customers out until they change their password

Nest is locking people out of their accounts if it believes there may have been a breach. Users will have to set up a new, secure password before they are able to regain access to their account.

Everything you need to know about routers, modems, combos, and mesh networks

Modem vs. router: what's the difference? We explain their functions so you can better diagnose any issues prior to contacting technical support. We also talk about a few variants you'll see offered by ISPs and retailers.

Lost your router? Here's how to find its IP address to help track it down

Changing the login information for your router isn't always easy, that's why so many have that little card on the back. But in order to use it, you need to know where to go. Here's how to find the IP address of your router.

Wi-Fi helps connect all of our devices at high-speed, but what exactly is it?

What is Wi-Fi? It's a technology we all use everyday to connect all of our portable devices, but understanding how it works and how far it's come from its humble beginnings is another thing entirely.

Potentially malicious WinRAR vulnerability patched after almost 20 years

WinRAR, a piece of Windows software for managing archival formats, has been harboring a vulnerability for nearly two decades, potentially allowing malicious software to insert items into a computer's startup folder without user permission.

Learn to uninstall a Steam game and clear some space on your PC

Looking to learn how to uninstall Steam games? You've come to the right place. In this guide, we walk you through the process step by step, whether you want Steam to do it for you or handle the process manually.

Prone to web surfing? Google Chrome’s new Focus Mode fights internet distractions

Finding yourself distracted by the web when you need to get work done? A new flag in Google Chrome could hint at a new Focus Mode. The feature may allow computer users to block distracting websites or notifications.

Intel expects Apple to transition Macs to ARM processors in 2020, report says

It has been rumored for some time that Apple could transition away from Intel to ARM processors, but a new report now claims that Intel is aware of the decision and that it could happen in 2020.

Still miss Windows 7? Here's how to make Windows 10 look more like it

There's no simple way of switching on a Windows 7 mode in Windows 10. Instead, you can install third-party software, manually tweak settings, and edit the registry. We provide instructions for using these tweaks and tools.

Dodge the biggest laptop-buying mistakes with these handy tips

Buying a new laptop is exciting, but you need to watch your footing. There are a number of pitfalls you need to avoid and we're here to help. Check out these top-10 laptop buying mistakes and how to avoid them.

Great PC speakers don't need to break the bank. These are our favorites

Not sure which PC speakers work best with your computer? Here are the best computer speakers on the market, whether you're working with a tight budget or looking to rattle your workstation with top-of-the-line audio components.

Confused about RSS? Don't be. Here's what it is and how to use it

What is an RSS feed, anyway? This traditional method of following online news is still plenty useful. Let's take a look at what RSS means, and what advantages it has in today's busy world.

The rumors were true. Nvidia’s 1660 Ti GPU, a $280 powerhouse, has arrived

Nvidia has officially launched the GTX 1660 Ti, its next-generation, Turing-based GPU. It promises to deliver all the performance and efficiency for all modern games, but without stepping into the high price range of the RTX series. 

Metro Exodus update brings DLSS improvements to Nvidia RTX 20-series PCs

Having issues in Metro Exodus? A February 21 update for the title recently delivered enhancements to Nvidia’s deep learning supersampling feature and other fixes for low-specced PCs.