According to a BuzzFeed News report, security researcher Ryan Stevenson found a vulnerability in the high-speed ISP’s online customer portal that could allow unauthorised parties to determine the partial home address of customers.
The flaw was found in the “in-home authentication” webpage that customers could use to access their Comcast Xfinity bills without the hassle of logging in.
In-home authentication (also known as Home-Based Authentication, HBA, or IP authentication) is supposed to reduce the friction for customer attempting to access their accounts and reduce the number of password resets requested.
The webpage requested that users verified their accounts by choosing their correct home address from a displayed list of four partial home addresses.
Choose the correct address, and you gain access to the billing account.
How does Comcast Xfinity know which is your correct home address? By looking at the webpage visitor’s IP address.
But there lies the problem. Security researcher Ryan Stevenson was able to spoof a customer’s IP address and trick Comcast by changing the X-Forwarded-For header in their request.
Then, by repeatedly refreshing the login page, three of the suggested partial home addresses would change – and only one would stay the same, the correct one belonging to the targeted customer.
An attacker would now know the first digit of the customer’s street number and the first three letters of the street where they lived with asterisks hiding all other characters.
As BuzzFeed News explains, it would then be possible for a malicious hacker to determine the customer’s city, state, and postal code for the partial address by using an IP lookup website.
It’s easy to imagine how an individual might be targeted using the technique, as an IP address is shared with any website internet users access. If a malicious actor wanted to determine a particular XFinity customer’s home address, they might even simply send their target a link to a webpage under their control or embed a tracking pixel inside an HTML message with the specific intention of capturing an IP address.
But the story doesn’t end there, as Stevenson also found another security hole in Comcast Xfinity’s systems – specifically a sign-up for page for authorized dealers. The webpage was vulnerable to hackers attempting to brute force a customer’s Social Security Number.
A form on the page requested the customer’s home address to be entered (perhaps determined using the technique described above) along with the last four digits of the customer’s Social Security Number.
In a huge blunder, the webpage allowed an unlimited number of attempts to get the last four digits of the social security number correct – meaning an attacker could simply write some code to automatically cycle through all the possibilities from 0000 to 9999 until hitting gold.
Comcast responded to the report of the vulnerabilities from BuzzFeed News, patching quickly to avoid the security holes being exploited by others in the future:
“We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.”
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.