Internet-cable-television provider Charter Communications recently fixed an issue with its website that was inadvertently leaking the information of tens of thousands of customers.
Customers’ payment details, modem serial numbers, device names, account numbers, home addresses, were being spilled from the company’s site, charter.com, according to researchers.
Eric Taylor, CTO at the startup firm, Cinder, and fellow researcher Blake Welsh stumbled upon the vulnerability. The two previously discovered a similar bug in Verizon’s online system where customers’ user IDs, phone numbers, and device names were being exposed.
The issue with Verizon’s site was reported by Buzzfeed and ultimately closed by the telecom giant last week.
According to Fast Company, which interviewed Taylor about the issue, the problem with Charter stems from the fact that cable company identified customers using their IP address. By using a Firefox add-on – X-Forwarded-For Header – to do so, an attacker could apparently impersonate a Charter customer’s IP address as their own. Since Charter keeps customers’ account details under their IP addresses, an attacker could easily glean that information.
According to Taylor, the technique is worse than the Verizon bug he helped dig up and could even be automated on a larger scale.
“In theory, anyone with minor programming skills could code an automated program that scans every Charter IP and returns the customers billing info,” Taylor told Fast Company.
Charter, based in Stamford, Conn., offers services to nearly 6 million customers across 29 states, including Texas, California, and New York.
Taylor points out that by using a Charter customers’ IP address, an attacker could make a header modification, visit a Charter URL and then claim they forgot their username. The attacker will then be prompted to create a new one and after going through the motions, the attacker could eventually learn the name, address, and username of the customer associated with the IP address.
In fact, by trying to create a username on the site, a form, complete with the users’ last name and home address, pops up. Taylor claims that an attacker could apparently learn more about the user either through API links or accessing the site’s source code, according to Taylor.
While Charter has fixed the issue – Fast Company notified the company and it was fixed within several hours – a spokesperson with Charter claims the number of customers that were actually affected by the issue was fewer than one million and that most of its users use a different version of the site.
“The vast majority of Charter customers use a version of the site on which this security vulnerability was not an issue,” the spokesperson told Fast Company, adding that it was continuing to look into the issue but that it has “seen no evidence of any password or data hacks.”