Comcast Website Flaws Exposed SSNs, Home Addresses

By Nathaniel Mott
published

Comcast is reportedly one of the "most-hated" companies in the U.S. already. Its customers often complain about inconsistent service and dreadful customer support. Those people now have something new to complain about: two security vulnerabilities reportedly let anyone with a little technical know-how learn part of customers' home addresses and Social Security numbers (SSNs).

Security researcher Ryan Stevenson revealed the vulnerability in a report from BuzzFeed. The flaws were found in a billing system that allowed people to pay their bills without having to sign into their Comcast account and the website used by Comcast's Authorized Dealers. The former made it easy to learn a Comcast subscriber's home address; the latter revealed partial SSNs.

Both flaws were easy to exploit. The first could be duped by learning someone's IP address (which isn't particularly hard) and spoofing it within that "in-home authentication" page that made it easy for people to pay their bills. The page reportedly showed four partial addresses that might correspond to the given IP address. Refresh it several times and eventually you could deduce that the one constant was the correct address.

Compromising someone's home address has obvious security implications. This knowledge could make it easier to harass someone, cause them physical harm, or to commit a potentially deadly "prank" by swatting them (that's when you call police with a fake emergency to convince them to send armed officers to the victim's home). Obtaining a subscriber's address was also necessary to exploit the next flaw.

The second flaw Stevenson discovered let someone using Comcast's Authorized Dealers website brute-force their way into learning the last four digits of a Comcast subscriber's SSN. How? Because as long as you had the correct address, Comcast didn't limit how many guesses you could make at the SSN associated with the account, so anyone with a little time on their hands could run a script that would just guess until it was right.

Here's the good news: Comcast resolved both of these issues after BuzzFeed reached out about the vulnerabilities. The "in-home authentication" page no longer exists, and there's now a limit to how many guesses one can make on the Authorized Dealers website. Comcast also told BuzzFeed it's not aware of anyone exploiting these vulnerabilities, but it's still investigating the matter, so that might change down the line.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

Topics
Security
9 Comments Comment from the forums
  • thebigt42
    WTF is comcast doing with customer SSNs???
    Reply
  • stdragon
    21217611 said:
    WTF is comcast doing with customer SSNs???

    Using them to validate the caller is whom they say they are. You know, using SSNs explicitly in a way that it wasn't intended to be used for.

    They should be asking for the DL (drivers license) number instead if anything.
    Reply
  • digitalgriffin
    Comcast uses SSN to establish credit before they hand you a bunch of equipment. But it's BS. Their equipment isn't that expensive. It's a huge money maker for them.
    I also believe Congress was floating bills in committee (laws not voted on yet) preventing 3rd party companies from using SSN's as identification due to data leaks like this.

    There was surprisingly big push-back by the industry on this.
    Reply
  • why_wolf
    21217825 said:
    Comcast uses SSN to establish credit before they hand you a bunch of equipment. But it's BS. Their equipment isn't that expensive. It's a huge money maker for them.
    I also believe Congress was floating bills in committee (laws not voted on yet) preventing 3rd party companies from using SSN's as identification due to data leaks like this.

    There was surprisingly big push-back by the industry on this.

    Not surprising at all. The SSN is the only thing even close to a national ID number for US Citizens. If Congress wants businesses to stop using SSN to help tell John Smith #1 and John Smith #3678 apart from each other they need to roll out a real national ID number.
    Reply
  • stdragon
    One could argue that your Passport # is a national ID #

    obligatory "papers please"
    Reply
  • why_wolf
    21218017 said:
    One could argue that your Passport # is a national ID #

    obligatory "papers please"

    Except only people who go out of their way to get a passport get a passport number. Which means that the vast bulk of Americans don't have one.
    Reply
  • stdragon
    21218108 said:
    21218017 said:
    One could argue that your Passport # is a national ID #

    obligatory "papers please"

    Except only people who go out of their way to get a passport get a passport number. Which means that the vast bulk of Americans don't have one.

    That a valid counter argument, sure.

    The real irony is that in the state of Texas, you can get a Texas ID card which is basically a Texas DL card, sans the ability to drive. But if you look at their registration process, you're required to provide ......*drum roll*....and SSN number!

    https://www.dps.texas.gov/DriverLicense/applyforID.htm

    So basically, the SSN that was explicitly stated to not be a national ID, is in fact a defacto national ID.
    Reply
  • why_wolf
    21218374 said:
    21218108 said:
    21218017 said:
    One could argue that your Passport # is a national ID #

    obligatory "papers please"

    Except only people who go out of their way to get a passport get a passport number. Which means that the vast bulk of Americans don't have one.

    That a valid counter argument, sure.

    The real irony is that in the state of Texas, you can get a Texas ID card which is basically a Texas DL card, sans the ability to drive. But if you look at their registration process, you're required to provide ......*drum roll*....and SSN number!

    https://www.dps.texas.gov/DriverLicense/applyforID.htm

    So basically, the SSN that was explicitly stated to not be a national ID, is in fact a defacto national ID.

    It gets even worse when you consider the fact that Medicare/Medicaid, both federal programs, also used the SSN as their way to ID people. Heck up until last year Medicare was actually printing peoples SSN on their Medicare cards.
    Reply
  • canadianvice
    Law should set a dollar amount for lost data. Lose a SIN? It'll probably cost the government several thousand to get all that stuff rectified.... so, $1200 a SIN?

    That'd make this breach cost.... well, no figure in the article, but probably a lot. Maybe if IT had a definite amount to point to for costs if they don't get to do their job properly, we'd get better IT compensation and consideration.
    Reply