Comcast said it has disabled a breach that, according to a tech blog, allowed anyone with a subscriber’s account number and street address number to access their Wi-Fi name and password via the company’s Xfinity internet activation service.
“There’s nothing more important than our customers’ security. Within hours of learning of this issue, we shut it down,” Comcast said in a statement. “At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”
ZDNet reported that a website set up by Comcast to make it easier for customers to set up their own internet and cable TV service can be tricked into giving up private authentication data. The blog said two security researchers obtained—with consent—the street address and account numbers from two Comcast subscribers, then tried to get private information from Comcast.
“The site returned the Wi-Fi name and password—in plaintext—used to connect to the network for one of the customers who uses an Xfinity router,” ZDNet wrote. “The other customer was using his own router—and the site didn't return the Wi-Fi network name or password.”
A hacker, ZDNet argued, could do the same thing: accessing a customer’s Wi-Fi network with a discarded paper bill or illicitly obtained email statement.
Ironically, the alleged security flaw is tied to Comcast’s effort to provide self-installation abilities for subscribers who want to avoid service-call fees—a capability that was deemed inadequate in another report last week
Ars Technica reported that under a variety of circumstances—which vary based on regional policy—Comcast won’t allow some customers to avoid installation fees of up to $90, even if they try to self-install.
The report said that in some instances, a customer couldn’t complete orders online without paying the fees. A Comcast representative told FierceCable on Friday that these restrictions apply to instances in which the cable company needs to know more about the customer before it will provide them a self-install kit. For example, the online ordering system won't enable a self-install automatically when someone takes over an apartment that had existing Comcast service from the previous customer.
However, he said install fees can be avoided in most cases if customers pick up the phone and call Comcast directly.