Comcast bug made it shockingly easy to steal customers’ Wi-Fi passwords

A security hole in a Comcast service-activation website allowed anyone to obtain a customer’s Wi-Fi network name and password by entering the customer’s account number and a partial street address, ZDNet reported yesterday. The problem would have let attackers ‘rename Wi-Fi network names and passwords, temporarily locking users out’ of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer’s home network.

The problem affected Comcast customers who use a router supplied by Comcast. Customers who buy their own router instead of renting one from Comcast were unaffected, ZDNet wrote. Comcast charges customers $11 a month (plus taxes and fees) for Xfinity-branded gateways, which act as a modem and router.

The offending Comcast webpage is used by Comcast customers to set up their cable service. But the website bug let anyone retrieve a specific customer’s Wi-Fi network name and password even if that customer had already set up their service. The website would also display the home address where the router was located, even though an attacker didn’t need to know the customer’s entire street address.

Only a customer account ID and that customer’s house or apartment number is needed—even though the web form asks for a full address. That information could be grabbed from a discarded bill or obtained from an email. In any case, a determined attacker could simply guess the house or apartment number.

The site returned the Wi-Fi name and password—in plain text—used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router—and the site didn’t return the Wi-Fi network name or password.

Source: arstechnica.com