Cory Doctorow | Boing Boing | Source URL
Comcast Xfininty’s login page had an easily found bug that allowed anyone to gain access to the partial Social Security Numbers and partial home addresses of over 26.5 million customers.
Comcast spokesapologist David McGuire says the company patched the bug quickly after being notified of its existence by security researcher Ryan Stevenson, and added that the company “take[s] our customers’ security very seriously,” adding that the company didn’t think anyone had exploited the bug.
I’m going to make a guess here: the bug was the result of one of the many mergers and acquisitions that has allowed Comcast to grow to be the country’s largest and most hated cable operator, as they put profits and growth ahead of integration and security. It’s just a guess, but it’s an educated one. Merging IT systems is one of the most notoriously tricky and insecure things a corporation can do.
This vulnerability was particularly easy to exploit — and use to target someone. It’s simple to obtain someone’s IP address (or “Internet Protocol”), a string of numbers that links your internet activity to the Wi-Fi network you’re using. Web administrators can see the IP addresses of everyone who visits their website. Many forums also disclose users’ IP addresses, along with their usernames. A malicious actor can also send someone a link designed specifically to obtain a target’s IP address.
While an IP address alone is not sensitive information, paired with the knowledge of someone’s internet service provider, it can help a bad actor confirm their target’s specific location. And often, it’s fairly easy to figure out someone’s internet service provider, or ISP, because an area is typically limited to one or two high-speed internet options, thanks to the consolidation of internet companies.
In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.