Comcast trojan horse made it shockingly effortless to steal customers’ Wi-Fi passwords

reader feedback 38

A protection gap in a Comcast service-activation web page allowed any person to gain a customer’s Wi-Fi community identify and password with the aid of coming into the client’s account number and a partial highway tackle, ZDNet stated the previous day.

The difficulty would have let attackers “rename Wi-Fi community names and passwords, temporarily locking users out” of their home networks, ZDNet wrote. definitely, an attacker might additionally use a Wi-Fi community identify and password to log into an unsuspecting Comcast client’s home community.

almost immediately after ZDNet’s story become posted, Comcast disabled the web site function that was leaking Wi-Fi passwords. “within hours of studying of this subject, we shut it down,” Comcast informed ZDNet and Ars. “we are conducting an intensive investigation and should take all crucial steps to ensure that this doesn’t take place again.”

“there’s nothing more critical than our consumers’ safety,” Comcast additionally mentioned.

The problem affected Comcast clients who use a router offered via Comcast. consumers who purchase their own router in its place of renting one from Comcast have been unaffected, ZDNet wrote. Comcast fees purchasers $ eleven a month (plus taxes and charges) for Xfinity-branded gateways, which act as a modem and router.

The difficulty was found by using safety researchers Karan Saini and Ryan Stevenson, who shared their findings with ZDNet.

no longer a lot security

The offending Comcast webpage is used by using Comcast clients to install their cable carrier. however the web page worm let any person retrieve a particular customer’s Wi-Fi network identify and password besides the fact that that consumer had already deploy their service. The site would also display the domestic tackle the place the router changed into observed, in spite of the fact that an attacker failed to deserve to understand the customer’s whole street address.

ZDNet mentioned:

best a customer account identification and that consumer’s apartment or condo number is required—although the net kind asks for a full address. That assistance may well be grabbed from a discarded invoice or got from an e-mail. after all, a determined attacker might easily wager the condominium or apartment quantity.

ZDNet received permission from two Xfinity customers to examine their guidance. We were able to obtain their full address and zip code—which both shoppers proven.

The website lower back the Wi-Fi name and password—in undeniable text—used to connect with the community for one of the most purchasers who makes use of an Xfinity router. The other client changed into using his personal router—and the site failed to return the Wi-Fi community name or password.

To stay away from a recurrence, Comcast informed Ars that it “removed the ability to log into the device activation site… the use of an account number and address.”

Comcast also instructed Ars that the security problem under no circumstances allowed entry to “valued clientele’ own usernames and passwords, and we don’t have any purpose to believe that any account suggestions changed into accessed.”

or not it’s no longer distinguished for home internet providers to make Wi-Fi network passwords purchasable in undeniable text over the web. ISPs do this to help purchasers retrieve a lost community password or trade their Wi-Fi password. but the apply comes with a major protection risk if the ISP does not protect the passwords from third events, as Comcast failed to do in this case.

considering that the problem appears to be linked totally to Comcast’s web site and never to a particular Comcast router, it could actually have affected any Comcast customer who uses one of the crucial companies’ routers.

We asked Comcast if the difficulty affected all Comcast routers and the way lengthy the problem existed. We additionally requested for particulars on how Comcast secures customer Wi-Fi passwords. we’ll replace this text if we get any answers.

update: Comcast instructed us that it stores passwords the usage of AES encryption and that cyber web traffic containing passwords is secured with SSL. but it sounds as although the passwords have been no longer hashed. The plain textual content passwords were simplest alleged to be accessible to individuals who authenticate accurately to the Comcast gadget, Comcast advised us. we will update this text once again if we get extra suggestions.

Biz & IT – Ars Technica