Skip to main content

Data-stealing bug prompts Comcast to shut down Xfinity activation website

comcast xfinity store
Ken Wolter/123rf

Two security researchers uncovered a bug within Comcast’s online activation portal that revealed a customer’s home address along with the Wi-Fi network name and password in plain text. Within hours of learning of the flaw uncovered by Karan Saini and Ryan Stevenson, Comcast shut down the Xfinity activation site, citing customer security as its top concern.

Recommended Videos

In order for customers to activate their routers, they have to visit an Xfinity activation website to enter some user information in order to setup their router and service. Saini and Stevenson discovered that even though the website asks for a customer’s full address, just an apartment or house number was needed along with an account ID. Both pieces of information required to gain access to the activation portal could easily be found on a discarded bill.

The activation portal continues to work and return information about the customer and the Wi-Fi network even after the router and home broadband service has been activated.

If a customer is using a Comcast or Xfinity-branded router, then the activation portal continues to return updated network information, so if a customer changes the network name or password, that latest information would be displayed on the activation portal. ZDNet noted that there’s no way for a customer to opt out of this system. For customers using their own router, the publication discovered that the portal doesn’t have access to the Wi-Fi network name and password to display.

On the primary level, the security concern is that customer’s network data and home address isn’t protected by requiring information that’s not readily available through an account statement. Further, once a hacker obtains the network data, they can use it in a malicious manner if they’re within close proximity to the Wi-Fi network. The network ID and password could be used to gain access to unencrypted web traffic that passes through the router. Additionally, hackers can also temporarily lock users out by changing the network name and password once they have access.

Comcast has since disabled this feature on its website to correct the security flaw. “Within hours of learning of this issue, we shut it down,” a Comcast spokesperson told ZDnet. “We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.” In a separate statement to Gizmodo, Comcast noted that it doesn’t believe that any data was improperly accessed as a result of this bug.

News of the bug comes at a time when Comcast is launching its own mesh networking accessory.

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
Don’t miss this chance to buy a MacBook Air at $200 off
The MacBook Air on a table in front of a window.

For those who have always wanted to get one of Apple's MacBooks but can't stomach the price tag, here's your chance to buy one for a relatively affordable price. Best Buy has slashed the price of the 13-inch Apple MacBook Air M3 to only $699, for savings of $200 on its sticker price of $899. You need to act fast though, as there's always high demand for MacBook deals. The stocks that are up for sale may already be gone as soon as tomorrow.

Why you should buy the 13-inch Apple MacBook Air M3

Read more
This HP Chromebook is under half-price today — just $190
The HP Chromebook 14 laptop on a white background.

You should turn your attention towards Chromebook deals if you want to buy a new laptop on a tight budget, and we've found an offer that you won't want to miss. From its original price of $410, the HP Chromebook 14 is down to just $190 for savings of $220 from Walmart. You won't always have the chance to get this device for less than half-price though -- in fact, the opportunity may be gone as soon as tomorrow. If you want to take advantage of the discount, you need to buy the Chromebook right now.

Why you should buy the HP Chromebook 14

Read more
Avast’s most complete antivirus plan is 70% off right now
Couple making selfie inside car with open window.

Avast has been popping off with incredible deals this month. The antivirus company recently offered 70% off its Premium tier of virus protection. For the next 30 days, Avast is extending that offer to its Ultimate tier of protection. That means you can protect one device with Avast Ultimate for $33 for a year, down from its usual $110. If you want to cover 10 devices, you'll only pay $42 instead of $140.

Let's dive into what Avast Ultimate offers and why you might want it over the free tier or the Premium plan. This deal is live now, and will stick around for the next four weeks.

Read more