Comcast Xfinity website leaks customer data — twice

Reports are coming in that show a rather serious leak involving customer data occurred on the Comcast Xfinity website. The main information on this incident comes from ZDNet, which was responsible for informing Comcast about the data leak following an anonymous tip. According to ZDNet’s report, an API was causing customer data to be leaked via web pages and applications if the API was handled by someone with proper know-how. The information at risk included addresses, enabled services (including security systems), account number data, and more.

As the report explains:

The API was used as part of the Xfinity’s website to help customers find stores and get account information. Because the API only returns data when it recognizes an Xfinity customer’s IP address, accessing a line owner’s customer data requires someone to already be on a customer’s network... anyone or anything connected to a customer’s WiFi network — including apps — could obtain the same customer account information, without obtaining their permission.

Once notified of this faulty API, Comcast worked quickly to deal with the issue. A spokesperson for the company said that “our engineers turned the feature off” and no accounts were affected, which in this security researcher’s view seems to be unlikely considering how effective the attack was.

As ZDNet pointed out in their report, this is the second incident in a month that involves the Comcast Xfinity website. In May, it was discovered that the Xfinity website was yet again suspected of leaking customer data. In that incident, if an attacker had an Xfinity account number and home number, they would be able to “obtain a customer’s full address and WiFi name and password, which could allow an attacker to use the information to access the WiFi network within its range.”

Although Comcast insists that it takes the security of its customers seriously, these back-to-back incidents suggest otherwise. Others in the InfoSec community are calling the company on the carpet for their perceived incompetence on the issue of data security. In an interview with SCMagazine Ben Johnson, CTO and co-founder at Obsidian Security, stated quite bluntly that “overlooking basic API authentication illustrates a shameful degree of negligence at Comcast.”

Comcast is certainly not the first company to deal with a customer data leak. But if Comcast wants to avoid a mass exodus of customers, it has to start taking its security more seriously.

Featured image: Flickr / Mike Mozart

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

MGM Resorts customer data breach still being utilized by hackers

Data stolen from breaches often live on forever, as appears to be the case with…

8 hours ago

Arranging and organizing pages in an Azure DevOps Wiki

If you have set up an Azure DevOps Wiki, there are two ways to organize…

12 hours ago

Rocket to the cloud: Anthos speeds Google’s rise in the enterprise market

Anthos is Google’s hybrid and multicloud platform. This platform is cloud-agnostic and has an incredible…

15 hours ago

Reduce Azure costs: Understanding flexibility groups in reserved instances

The cloud is great for saving you money — until it doesn’t. Here’s how to…

1 day ago

Crash course in creating and using virtual machine groups

There is a little-known feature in Hyper-V that lets you create virtual machine groups, which…

2 days ago

Google targets ‘disruptive ads’ in apps available on Play Store

Sick of disruptive ads on your Android phone? Google is trying to remedy that by…

2 days ago