There’s already plenty of reasons to dislike your internet service provider, but Comcast clearly wasn’t happy being simply disliked for its customer service and product. Researchers have discovered that a bug in Comcast’s website can reveal a customer’s full address, zip code, Wi-Fi network name and even your Wi-Fi password, all from putting in the account number.
ZDNet first reported on the data breach, which was discovered by Karan Saini and Ryan Stevenson, a pair of security researchers. They found that Comcast’s website has a tool that’s supposed to be used to activate a new Wi-Fi router at home, but it isn’t secured properly. The researchers found that all they needed was a customer account ID and the house or apartment number, rather than the full street address.
Once an attacker has entered a legitimate account ID and house number, they’ll see the customer’s full home address and their current Wi-Fi name and password. It also appears that they can change the Wi-Fi name and password, temporarily locking the customer out of their home Wi-Fi network. That’s only possible when the customer is using the Comcast-provided router, and ZDNet says that no Wi-Fi information is revealed if you’re using your own router.
“There’s nothing more important than our customers’ security,” a Comcast spokesperson told ZDNet. “Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”