[BreachExchange] Comcast Patches Router Bug That Leaked Some Wi-Fi Passwords

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 22 18:59:08 EDT 2018


Comcast patched a bug Monday that under certain conditions leaked customer
SSID names and passwords of Xfinity routers. The flaw was accessible via
the Comcast website used by customers to activate and manage their Xfinity
router. The bug did not affect Comcast customers that used their own
private routers.

Researchers Karan Saini and Ryan Stevenson discovered the bug on Monday.
Saini told Threatpost after notifying the media of his discovery, Comcast
was alerted of the glitch and the bug was quickly patched.

The prerequisite for the website vulnerability was that the researchers
needed to have an Xfinity customer’s account number and just the street
number (but not the name of the street) of the billing address used at the
location of the customer leasing the Xfinity router from Comcast.

With those two pieces of data, Saini discovered a user could access the
full address of the Comcast customer’s account, along with the SSID name
and password associated with the customer’s Xfinity router. Access also
allowed Saini to change the SSID password.

Comcast released a statement on Monday: “Within hours of learning of this
issue, we shut it down. We are conducting a thorough investigation and will
take all necessary steps to ensure that this doesn’t happen again.”

Attack scenarios range from malicious users interested in logging into a
customer’s password-protected Wi-Fi network to snoop on or hack endpoints
on the local network. Other possible attack scenarios include performing a
man-in-the-middle attack on the shared network or just stealing a
neighbor’s Wi-Fi. Lastly, an attacker could lock a customer out of their
own Wi-Fi network by constantly changing their SSID password.

“This becomes essentially a backdoor of sorts,” Saini told Threatpost. He
pointed out that Comcast customer account information can be plucked from a
number of places, including the trash, but also sometimes online. A search
of public customer service queries by Comcast customers online revealed
that many use their account number to identify themselves to Comcast online
customer service agents.

Saini is known for his previous research where he discovered an Uber
two-factor bypass bug affecting its customers along with a vulnerability in
India’s Aadhaar system, a 12-digit unique identity number. Saini identified
a bug that allowed him to extract personal phone numbers linked to Aadhaar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180522/20a329d9/attachment.html>

More information about the BreachExchange mailing list