Comcast patched a bug Monday that under certain conditions leaked customer SSID names and passwords of Xfinity routers. The flaw was accessible via the Comcast website used by customers to activate and manage their Xfinity router. The bug did not affect Comcast customers that used their own private routers.
Researchers Karan Saini and Ryan Stevenson discovered the bug on Monday. Saini told Threatpost after notifying the media of his discovery, Comcast was alerted of the glitch and the bug was quickly patched.
The prerequisite for the website vulnerability was that the researchers needed to have an Xfinity customer’s account number and just the street number (but not the name of the street) of the billing address used at the location of the customer leasing the Xfinity router from Comcast.
With those two pieces of data, Saini discovered a user could access the full address of the Comcast customer’s account, along with the SSID name and password associated with the customer’s Xfinity router. Access also allowed Saini to change the SSID password.
Comcast released a statement on Monday: “Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”
Attack scenarios range from malicious users interested in logging into a customer’s password-protected Wi-Fi network to snoop on or hack endpoints on the local network. Other possible attack scenarios include performing a man-in-the-middle attack on the shared network or just stealing a neighbor’s Wi-Fi. Lastly, an attacker could lock a customer out of their own Wi-Fi network by constantly changing their SSID password.
“This becomes essentially a backdoor of sorts,” Saini told Threatpost. He pointed out that Comcast customer account information can be plucked from a number of places, including the trash, but also sometimes online. A search of public customer service queries by Comcast customers online revealed that many use their account number to identify themselves to Comcast online customer service agents.
Saini is known for his previous research where he discovered an Uber two-factor bypass bug affecting its customers along with a vulnerability in India’s Aadhaar system, a 12-digit unique identity number. Saini identified a bug that allowed him to extract personal phone numbers linked to Aadhaar numbers.