Comcast Website Flaws Exposed SSNs, Home Addresses

Comcast is reportedly one of the "most-hated" companies in the U.S. already. Its customers often complain about inconsistent service and dreadful customer support. Those people now have something new to complain about: two security vulnerabilities reportedly let anyone with a little technical know-how learn part of customers' home addresses and Social Security numbers (SSNs).

Security researcher Ryan Stevenson revealed the vulnerability in a report from BuzzFeed. The flaws were found in a billing system that allowed people to pay their bills without having to sign into their Comcast account and the website used by Comcast's Authorized Dealers. The former made it easy to learn a Comcast subscriber's home address; the latter revealed partial SSNs.

Both flaws were easy to exploit. The first could be duped by learning someone's IP address (which isn't particularly hard) and spoofing it within that "in-home authentication" page that made it easy for people to pay their bills. The page reportedly showed four partial addresses that might correspond to the given IP address. Refresh it several times and eventually you could deduce that the one constant was the correct address.

Compromising someone's home address has obvious security implications. This knowledge could make it easier to harass someone, cause them physical harm, or to commit a potentially deadly "prank" by swatting them (that's when you call police with a fake emergency to convince them to send armed officers to the victim's home). Obtaining a subscriber's address was also necessary to exploit the next flaw.

The second flaw Stevenson discovered let someone using Comcast's Authorized Dealers website brute-force their way into learning the last four digits of a Comcast subscriber's SSN. How? Because as long as you had the correct address, Comcast didn't limit how many guesses you could make at the SSN associated with the account, so anyone with a little time on their hands could run a script that would just guess until it was right.

Here's the good news: Comcast resolved both of these issues after BuzzFeed reached out about the vulnerabilities. The "in-home authentication" page no longer exists, and there's now a limit to how many guesses one can make on the Authorized Dealers website. Comcast also told BuzzFeed it's not aware of anyone exploiting these vulnerabilities, but it's still investigating the matter, so that might change down the line.

Create a new thread in the US News comments forum about this subject
9 comments
Comment from the forums
    Your comment
  • thebigt42
    WTF is comcast doing with customer SSNs???
  • stdragon
    Anonymous said:
    WTF is comcast doing with customer SSNs???


    Using them to validate the caller is whom they say they are. You know, using SSNs explicitly in a way that it wasn't intended to be used for.

    They should be asking for the DL (drivers license) number instead if anything.
  • digitalgriffin
    Comcast uses SSN to establish credit before they hand you a bunch of equipment. But it's BS. Their equipment isn't that expensive. It's a huge money maker for them.
    I also believe Congress was floating bills in committee (laws not voted on yet) preventing 3rd party companies from using SSN's as identification due to data leaks like this.

    There was surprisingly big push-back by the industry on this.