Skip to main content

Data-stealing bug prompts Comcast to shut down Xfinity activation website

comcast xfinity store
Ken Wolter/123rf

Two security researchers uncovered a bug within Comcast’s online activation portal that revealed a customer’s home address along with the Wi-Fi network name and password in plain text. Within hours of learning of the flaw uncovered by Karan Saini and Ryan Stevenson, Comcast shut down the Xfinity activation site, citing customer security as its top concern.

In order for customers to activate their routers, they have to visit an Xfinity activation website to enter some user information in order to setup their router and service. Saini and Stevenson discovered that even though the website asks for a customer’s full address, just an apartment or house number was needed along with an account ID. Both pieces of information required to gain access to the activation portal could easily be found on a discarded bill.

The activation portal continues to work and return information about the customer and the Wi-Fi network even after the router and home broadband service has been activated.

If a customer is using a Comcast or Xfinity-branded router, then the activation portal continues to return updated network information, so if a customer changes the network name or password, that latest information would be displayed on the activation portal. ZDNet noted that there’s no way for a customer to opt out of this system. For customers using their own router, the publication discovered that the portal doesn’t have access to the Wi-Fi network name and password to display.

On the primary level, the security concern is that customer’s network data and home address isn’t protected by requiring information that’s not readily available through an account statement. Further, once a hacker obtains the network data, they can use it in a malicious manner if they’re within close proximity to the Wi-Fi network. The network ID and password could be used to gain access to unencrypted web traffic that passes through the router. Additionally, hackers can also temporarily lock users out by changing the network name and password once they have access.

Comcast has since disabled this feature on its website to correct the security flaw. “Within hours of learning of this issue, we shut it down,” a Comcast spokesperson told ZDnet. “We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.” In a separate statement to Gizmodo, Comcast noted that it doesn’t believe that any data was improperly accessed as a result of this bug.

News of the bug comes at a time when Comcast is launching its own mesh networking accessory.

Editors' Recommendations

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
Comcast lets people with physical disabilities control a TV with just a glance
comcast xfinity x1 eye control for those with physical disabilities 2

Meet Jimmy | See How Our Technology Is Enabling Him to Be More Independent

For people with physical disabilities that prevent even the smallest of limb movements, Comcast now offers a way to control a TV using existing assistive technology, including eye-gaze systems. Although that sounds like a big leap in technology, it's simple in its execution. Xfinity X1 eye control is the name of a web-based remote that lets those with a variety of assistive technologies from eye-gaze trackers, sip-and-puff switches, and other options, create a software bridge between these systems and Comcast's Xfinity X1 cable boxes.

Read more
Spy on your pets with Comcast’s Xfinity Camera A.I.-powered pet filter
spy on your pets with comcast xfinity camera ai powered pet filter dog tore apart her toy

Comcast announced a new feature for the Xfinity Camera that makes it easier to watch your pets when you're away from home. The furry friend spy cam announcement coincides with the release of The Secret Life of Pets 2.

Read more
AMD’s next-gen CPUs are much closer than we thought
AMD Ryzen 7 7800X3D held between fingertips.

We already knew that AMD would launch its Zen 5 CPUs this year, but recent motherboard updates hint that a release is imminent. Both MSI and Asus have released updates for their 600-series motherboards that explicitly add support for "next-generation AMD Ryzen processors," setting the stage for AMD's next-gen CPUs.

This saga started a few days ago when hardware leaker 9550pro spotted an MSI BIOS update, which they shared on X (formerly Twitter). Since then, Asus has followed suit with BIOS updates of its own featuring a new AMD Generic Encapsulated Software Architecture (AGESA) -- the firmware responsible for starting the CPU -- that brings support for next-gen CPUs (spotted by VideoCardz).

Read more