US Comcast website leaks Xfinity customer data

Two researchers recently discovered that the US Comcast website used to activate the Xfinity router leaks sensitive information from users. The Comcast website is primarily used to establish home Internet and cable TV services and may be used by attackers to display the home address of the router and the Wi-Fi name and password.

The test found that this website will return the user’s Wi-Fi network name and password in clear text, and even if the password is changed, the new password will be obtained by running the process again. The attacker can rename the Wi-Fi network name and password to temporarily lock the user and even use the information to access the Wi-Fi network within the valid range to read unencrypted traffic. Comcast has now removed the option to return data from the site and is working to resolve this issue.

“There’s nothing more important than our customers’ security,” said a Comcast spokesperson. “Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”

Source: ZDNet