Reports are coming in that show a rather serious leak involving customer data occurred on the Comcast Xfinity website. The main information on this incident comes from ZDNet, which was responsible for informing Comcast about the data leak following an anonymous tip. According to ZDNet’s report, an API was causing customer data to be leaked via web pages and applications if the API was handled by someone with proper know-how. The information at risk included addresses, enabled services (including security systems), account number data, and more.
As the report explains:
The API was used as part of the Xfinity’s website to help customers find stores and get account information. Because the API only returns data when it recognizes an Xfinity customer’s IP address, accessing a line owner’s customer data requires someone to already be on a customer’s network... anyone or anything connected to a customer’s WiFi network — including apps — could obtain the same customer account information, without obtaining their permission.
Once notified of this faulty API, Comcast worked quickly to deal with the issue. A spokesperson for the company said that “our engineers turned the feature off” and no accounts were affected, which in this security researcher’s view seems to be unlikely considering how effective the attack was.
As ZDNet pointed out in their report, this is the second incident in a month that involves the Comcast Xfinity website. In May, it was discovered that the Xfinity website was yet again suspected of leaking customer data. In that incident, if an attacker had an Xfinity account number and home number, they would be able to “obtain a customer’s full address and WiFi name and password, which could allow an attacker to use the information to access the WiFi network within its range.”
Although Comcast insists that it takes the security of its customers seriously, these back-to-back incidents suggest otherwise. Others in the InfoSec community are calling the company on the carpet for their perceived incompetence on the issue of data security. In an interview with SCMagazine Ben Johnson, CTO and co-founder at Obsidian Security, stated quite bluntly that “overlooking basic API authentication illustrates a shameful degree of negligence at Comcast.”
Comcast is certainly not the first company to deal with a customer data leak. But if Comcast wants to avoid a mass exodus of customers, it has to start taking its security more seriously.
Featured image: Flickr / Mike Mozart