Comcast Website Flaws Exposed SSNs, Home Addresses

Comcast is reportedly one of the “most-hated” companies in the U.S. already. Its customers often complain about inconsistent service and dreadful customer support. Those people now have something new to complain about: two security vulnerabilities reportedly let anyone with a little technical know-how learn part of customers’ home addresses and Social Security numbers (SSNs).

Security researcher Ryan Stevenson revealed the vulnerability in a report from BuzzFeed. The flaws were found in a billing system that allowed people to pay their bills without having to sign into their Comcast account and the website used by Comcast’s Authorized Dealers. The former made it easy to learn a Comcast subscriber’s home address; the latter revealed partial SSNs.

Both flaws were easy to exploit. The first could be duped by learning someone’s IP address (which isn’t particularly hard) and spoofing it within that “in-home authentication” page that made it easy for people to pay their bills. The page reportedly showed four partial addresses that might correspond to the given IP address. Refresh it several times and eventually you could deduce that the one constant was the correct address.

Compromising someone’s home address has obvious security implications. This knowledge could make it easier to harass someone, cause them physical harm, or to commit a potentially deadly “prank” by swatting them (that’s when you call police with a fake emergency to convince them to send armed officers to the victim’s home). Obtaining a subscriber’s address was also necessary to exploit the next flaw.

The second flaw Stevenson discovered let someone using Comcast’s Authorized Dealers website brute-force their way into learning the last four digits of a Comcast subscriber’s SSN. How? Because as long as you had the correct address, Comcast didn’t limit how many guesses you could make at the SSN associated with the account, so anyone with a little time on their hands could run a script that would just guess until it was right.

Here’s the good news: Comcast resolved both of these issues after BuzzFeed reached out about the vulnerabilities. The “in-home authentication” page no longer exists, and there’s now a limit to how many guesses one can make on the Authorized Dealers website. Comcast also told BuzzFeed it’s not aware of anyone exploiting these vulnerabilities, but it’s still investigating the matter, so that might change down the line.