A flaw on Comcast's Xfinity website was caught leaking customers' account information to anyone on a customer's network. An anonymous researcher told ZDNet that an API on the US cable giant's website could be manipulated into revealing customers' account data including account number, home address, account type and any additional services enabled on the line.
ZDNet reports the API was designed to help users find stores and get account information. However, it only returns data if it recognizes an Xfinity customer's IP address. This means someone needs to be on a customer's Wi-Fi network to access their customer data.
According to the research, anyone connected to the customer's Wi-Fi network, including apps, could potentially request and access the customer's account information without their knowledge or permission, provided they are already on a customer's network.
The findings were independently verified by two other researchers, ZDNet reports, following which the publication notified Comcast.
The API has since been shut down.
"There's nothing more important than our customers' privacy and security," a Comcast spokesperson told ZDNet. "As soon as we became aware of this situation, our engineers turned the feature off, which could only be accessed within a customer's home or while logged into the customer's Wi-Fi network. We have no reason to believe that anyone's account information was improperly taken or used."
It is not immediately clear how long the flaw was live on the website and whether it was exploited by any malicious attackers.
The newly discovered flaw is also the second security issue exposed in less than two months.
In May, another bug in Comcast's website was found leaking sensitive Xfinity customer information including the home address where the router is located along with the Wi-Fi name and password.
Publisher