Comcast bug made it shockingly easy to steal customers’ Wi-Fi passwords

[Archiee]

A security hole in a Comcast service-activation website allowed anyone to obtain a customer's Wi-Fi network name and password by entering the customer's account number and a partial street address, ZDNet reported yesterday.

The problem would have let attackers "rename Wi-Fi network names and passwords, temporarily locking users out" of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer's home network.

Shortly after ZDNet's story was published, Comcast disabled the website feature that was leaking Wi-Fi passwords. "Within hours of learning of this issue, we shut it down," Comcast told ZDNet and Ars. "We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn't happen again."

"There's nothing more important than our customers' security," Comcast also said.

The problem affected Comcast customers who use a router supplied by Comcast. Customers who buy their own router instead of renting one from Comcast were unaffected, ZDNet wrote. Comcast charges customers $11 a month (plus taxes and fees) for Xfinity-branded gateways, which act as a modem and router.

The problem was discovered by security researchers Karan Saini and Ryan Stevenson, who shared their findings with ZDNet.

Not much security
The offending Comcast webpage is used by Comcast customers to set up their cable service. But the website bug let anyone retrieve a specific customer's Wi-Fi network name and password even if that customer had already set up their service. The website would also display the home address where the router was located, even though an attacker didn't need to know the customer's entire street address.

ZDNet reported:

Only a customer account ID and that customer's house or apartment number is needed—even though the web form asks for a full address. That information could be grabbed from a discarded bill or obtained from an email. In any case, a determined attacker could simply guess the house or apartment number.

ZDNet obtained permission from two Xfinity customers to check their information. We were able to obtain their full address and zip code—which both customers confirmed.

The site returned the Wi-Fi name and password—in plain text—used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router—and the site didn't return the Wi-Fi network name or password.

To prevent a recurrence, Comcast told Ars that it "removed the ability to log into the equipment activation site... using an account number and address."

Comcast also told Ars that the security problem never allowed access to "customers' personal usernames and passwords, and we have no reason to believe that any account information was accessed."

It's not uncommon for home Internet providers to make Wi-Fi network passwords available in plain text over the Internet. ISPs do this to help customers retrieve a lost network password or change their Wi-Fi password. But the practice comes with a significant security risk if the ISP doesn't protect the passwords from third parties, as Comcast failed to do in this case.

Since the problem appears to be related solely to Comcast's website and not to a specific Comcast router, it may have affected any Comcast customer who uses one of the companies' routers.

We asked Comcast if the problem affected all Comcast routers and how long the problem existed. We also asked for details on how Comcast secures customer Wi-Fi passwords. We'll update this article if we get any answers.

UPDATE: Comcast told us that it stores passwords using AES encryption and that Internet traffic containing passwords is secured with SSL. But it sounds as though the passwords were not hashed. The plain text passwords were only supposed to be available to people who authenticate properly to the Comcast system, Comcast told us. We'll update this article again if we get more information.