Poor security measures have reportedly put the personal details of over 26.5 million Comcast Xfinity customers at risk, a researcher has revealed.
According to a BuzzFeed News report, security researcher Ryan Stevenson found a vulnerability in the high-speed ISP’s online customer portal that could allow unauthorised parties to determine the partial home address of customers.
The flaw was found in the “in-home authentication” webpage that customers could use to access their Comcast Xfinity bills without the hassle of logging in.
In-home authentication (also known as Home-Based Authentication, HBA, or IP authentication) is supposed to reduce the friction for customer attempting to access their accounts, and reduce the number of password resets requested.
The webpage requested that users verified their accounts by choosing their correct home address from a displayed list of four partial home addresses.
Choose the correct address, and you gain access to the account.
How does Comcast Xfinity know which is your correct home address? By looking at the webpage visitor’s IP address.
But there lies the problem. Security researcher Ryan Stevenson was able to spoof a customer’s IP address and trick Comcast by changing the X-Forwarded-For header in their request.
Then, by repeatedly refreshing the login page, three of the suggested partial home addresses would change – and only one would stay the same, the correct one belonging to the targeted customer.
An attacker would now know the first digit of the customer’s street number, and the first three letters of the street where they lived with asterisks hiding all other characters.
As BuzzFeed News explains, it would then be possible for a malicious hacker to determine the customer’s city, state, and postal code for the partial address by using an IP lookup website.
It’s easy to imagine how an individual might be targeted using (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Graham Cluley. Read the original post at: https://www.tripwire.com/state-of-security/featured/comcast-xfinity-customers-home-addresses-ssns-exposed/