Comcast has just been caught in a major security snafu: revealing the passwords of its customers’ Xfinity-provided wireless routers in plaintext on the web. Anyone with a subscriber’s account number and street address number will be served up the wi-fi name and password via the company’s Xfinity internet activation service.
Security researchers Karan Saini and Ryan Stevenson reported the issue to ZDnet.
The site is meant to help people setting up their internet for the first time: ideally, you put in your data, and Comcast sends back the router credentials while activating the service.
The problem is threefold:
- You can “activate” an account that’s already active
- The data required to do so is minimal and it is not verified via text or email
- The wireless name and password are sent on the web in plaintext
This means that anyone with your account number and street address number (e.g. the 1425 in “1425 Alder Ave,” no street name, city, or apartment number needed), both of which can be found on your paper bill or in an email, will instantly be given your router’s SSID and password, allowing them to log in and use it however they like or monitor its traffic. They …read more
Source:: TechCrunch Gadgets
Previous post
Next post