PHILADELPHIA — A bug in a Comcast website that is used to activate the routers of Xfinity customers was leaking sensitive information, according to two researchers.
Researchers Karan Saini and Ryan Stevenson told ZDNet that the website could be tricked into displaying the home address where a router is located, as well as the WiFi name and password of the network.
All a potential attacker would need is a customer account ID and that customer’s house or apartment number to reveal their network’s WiFi name and password. Fortunately, this was only the case for customers using an Xfinity router and did not effect customers using their own device.
The researchers say the bug could allow an attacker to change a network’s WiFi name and password, leaving the owner locked out.
Considering how many devices the modern consumer has connected to their home network, this could have resulted in catastrophic consequences — especially considering Comcast is moving into the home automation and residential security market.
ZDNet says Comcast removed the option after publishing the story.
“There’s nothing more important than our customers’ security,” said a Comcast spokesperson. “Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”
