Comcast Xfinity website leaks customer data — twice

Reports are coming in that show a rather serious leak involving customer data occurred on the Comcast Xfinity website. The main information on this incident comes from ZDNet, which was responsible for informing Comcast about the data leak following an anonymous tip. According to ZDNet’s report, an API was causing customer data to be leaked via web pages and applications if the API was handled by someone with proper know-how. The information at risk included addresses, enabled services (including security systems), account number data, and more.

As the report explains:

The API was used as part of the Xfinity’s website to help customers find stores and get account information. Because the API only returns data when it recognizes an Xfinity customer’s IP address, accessing a line owner’s customer data requires someone to already be on a customer’s network... anyone or anything connected to a customer’s WiFi network — including apps — could obtain the same customer account information, without obtaining their permission.

Once notified of this faulty API, Comcast worked quickly to deal with the issue. A spokesperson for the company said that “our engineers turned the feature off” and no accounts were affected, which in this security researcher’s view seems to be unlikely considering how effective the attack was.

As ZDNet pointed out in their report, this is the second incident in a month that involves the Comcast Xfinity website. In May, it was discovered that the Xfinity website was yet again suspected of leaking customer data. In that incident, if an attacker had an Xfinity account number and home number, they would be able to “obtain a customer’s full address and WiFi name and password, which could allow an attacker to use the information to access the WiFi network within its range.”

Although Comcast insists that it takes the security of its customers seriously, these back-to-back incidents suggest otherwise. Others in the InfoSec community are calling the company on the carpet for their perceived incompetence on the issue of data security. In an interview with SCMagazine Ben Johnson, CTO and co-founder at Obsidian Security, stated quite bluntly that “overlooking basic API authentication illustrates a shameful degree of negligence at Comcast.”

Comcast is certainly not the first company to deal with a customer data leak. But if Comcast wants to avoid a mass exodus of customers, it has to start taking its security more seriously.

Featured image: Flickr / Mike Mozart

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Losing your edge? 7 free tools to keep you focused at work

Staying focused at work in an always-connected world is hard! Here’s how to use tech — and some free tools…

10 hours ago

What’s next in the evolution of biometrics and facial recognition technology?

Facial recognition technology has matured to the point of being reliable — for better or for worse. What does the…

15 hours ago

Locking down your Exchange server with cipher suites

Cipher suites are a set of algorithms you need to secure your environment, either by using SSL and TLS. Here’s…

18 hours ago

AI cyber risks: What to look out for when deploying AI technology

Artificial intelligence has greatly improved modern life. But businesses must recognize that AI cyber risks exist and take appropriate measures.

1 day ago

Review: Office 365 synchronizing and administration tool CiraSync

CiraSync offers an enterprise solution for syncing global address list contacts and calendars to smartphones and other mobile devices. Here’s…

2 days ago

HIPAA IT compliance: Privacy and security rules you must know

HIPAA is the mandatory health regulation that must be followed strictly. But if you’re an IT pro in the health-care…

2 days ago