Comcast Website Bug Reveals Your Sensitive Personal Information

ZDNet reported yesterday that Comcast website has a bug that leaks customers’ personal information through Xfinity routers. Users’ personal sensitive information such as full home address, zip code, Wi-Fi network name, and Wi-Fi password are exposed through routers’ home page which displays settings for Wi-Fi and cable services.

Comcast said in a statement that the affected service is no longer active and they have fixed the bug which affected their website shortly after the reports started surfacing in the media and they are conducting a thorough investigation as to why this really happened. Comcast has also given assurance to its users that nobody’s personal information has been leaked.

Karan Saini and Ryan Stevenson, a pair of security researchers who first spotted the bug told their discovery to ZDNet. The Comcast’s website has a tool that requests the user to enter full home address in order to verify their account and register and activate their new Wi-Fi router at home. But Karan and Ryan have stated that this tool isn’t secured properly and this requirement could be sidestepped with a customer account ID along with apartment or house number rather than the full street address, prompting the website to display full home address, Wi-Fi name and password.

Researcher duo also said that it appears that an attacker can change the Wi-Fi name and password of your home router, thus temporarily locking you out of your own home Wi-Fi network. That is only plausible if you were using the Comcast-provided Xfinity router and no Wi-Fi information is revealed if you were using your own router.

As customer ID numbers are easily available, this vulnerability in Xfinity routers is particularly severe. This bug has been confirmed by multiple sources to return home addresses and Wi-Fi login credentials. 

Want to find out if your Xfinity router is still affected or not? Give a call to Comcast customer service number and they will help you check out for any loss of personal information. You can ask for activation of two-factor authentication as well, thus enabling the two-layer security of your account.