Comcast has had to shut the gate on a potential customer data breach after ZDNet once again notified the cable company that one of its web pages had the potential to expose private customer information to unauthorized users.
Comcast said it shut down an API on its sites that recognizes customer IP addresses and allows them to access nearest store location and various account data. According to ZDNet, an anonymous internet security firm made the publication aware that an unauthorized user who somehow managed to hijack a Comcast Wi-Fi account could get customer information.
"As soon as we became aware of this situation, our engineers turned the feature off, which could only be accessed within a customer's home or while logged into the customer's Wi-Fi network,” Comcast said in a statement. "We have no reason to believe that anyone's account information was improperly taken or used.”
In May, Comcast also shut down a feature that allowed anyone with a subscriber’s account number and street address number to access their Wi-Fi name and password via the company’s Xfinity internet activation service.
ZDNet reported that a website set up by Comcast to make it easier for customers to set up their own internet and cable TV service can be tricked into giving up private authentication data. The blog said two security researchers obtained—with consent—the street address and account numbers from two Comcast subscribers, then tried to get private information from Comcast.
“The site returned the Wi-Fi name and password—in plaintext—used to connect to the network for one of the customers who uses an Xfinity router,” ZDNet wrote. “The other customer was using his own router—and the site didn't return the Wi-Fi network name or password.”
A hacker, ZDNet argued, could do the same thing: access a customer’s Wi-Fi network with a discarded paper bill or illicitly obtained email statement.