Jump to content
New Members Read more... ×
Sign in to follow this  

Comcast flaws exposed partial home addresses, Social Security numbers of 26.5 million customers

Recommended Posts



What just happened? Comcast has patched two previously unreported vulnerabilities in its online customer portal that exposed the partial home address and Social Security numbers of more than 26.5 million customers. Fortunately for Comcast, the flaws were reported before they could be exploited by nefarious parties.

Security researcher Ryan Stevenson discovered the flaws according to BuzzFeed News.

One flaw was exploitable by visiting Comcast’s “in-home authentication” page in which customers can pay their bills without signing in. The portal asked customers to verify their account by selecting one of four partial home addresses from a list if it appeared as though the user was connected to the customer’s home network.


Obtaining and spoofing an IP address is relatively easy and by refreshing the login page, three of the recommended partial addresses would change while the fourth (and correct) address would stay the same. With a partial address and a bit more detective work, it would be possible to determine the city, state and postal code of the partial address.

Comcast has since disabled in-home authentication and requires customers to manually input personal information to verify their account when paying a bill.


The other vulnerability involved a sign-up page on Comcast’s website for authorized dealers. With just a customer’s billing address, it was possible for a hacker to brute-force the last four digits of a customer’s Social Security number. Comcast’s portal didn’t restrict the number of attempts possible meaning a user could keep plugging in digits until the correct combination was found.

After being tipped off about the vulnerability, Comcast added a rate limit to the portal.

Comcast spokesperson David McGuire told BuzzFeed News that they quickly investigated the issues and blocked both vulnerabilities within hours, eliminating the ability to exploit them. McGuire added that Comcast has no reason to believe the vulnerabilities were ever used against customers outside of the research described in the report.



Share this post

Link to post
Share on other sites

This is terrible. Unfortunately, I think they wouldn't be punished at all, given that Equifax faced no ramifications for their breach.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.