It looks like an error on the Comcast website used for the activation of Xfinity routers it can be exploited to harvest sensitive consumer information.
According to reports, the purpose of the site is to make it easier for customers to configure their Internet at home without having to go through a customer service call. It's a useful service, except for the fact that it can apparently be tricked into showing the address of the house wherever the router is. The site may also be forced to extract a user's Wi-Fi name and pbadword.
Two security researchers, Karan Saini and Ryan Stevenson, discovered the error.
For Saini, this is the third big mistake he has caught: previously, he discovered a flaw in Uber's two-factor authentication system and a flaw in India's national biometric database.
For the exploit to work, you need the identification of the client's account and the house or apartment number. In an attempt to replicate the trick, the ZDNet team obtained permission from two Xfinity customers to attempt an attack on their accounts.
"We were able to obtain your full address and zip code, which both customers confirmed," the publication informed. "The site returned the Wi-Fi name and pbadword, in plain text, used to connect to the network for one of the clients."
That client, according to the article, used a router provided by Xfinity. The other client was using their own router, and the exploit did not send their username and pbadword.
In addition, the problem can not be remedied by changing the hardware: when the researchers ran the exploit again, the site returned the pbadword reset. According to reports, consumers can not refuse the use of Xfinity hardware.
Among other annoyances badociated with the violation, attackers can also use the system to change the names and pbadwords of the user network, which blocks legitimate users. That, however, would be a quick way to alert the rightful owner to the presence of an intruder.
Saini said that because of the gap in the hand, it will be almost impossible to list the account numbers.
However, the error does not occur It seems that the attackers have access to confidential data, such as the router's reference configuration. The best thing a cybercriminal could hope for is to access a Wi-Fi network within range and use it to sneak around and read all the non-encrypted traffic of other users on the network.
"There is nothing more important than the safety of our customers," said a Comcast spokesman. "A few hours after hearing about this problem, we closed it." We are conducting a thorough investigation and will take all necessary steps to ensure that this does not happen again. "
The announcement of the infringement is not timely for Comcast, which is in the process of polishing its reputation with a retailer retailer that will create experimental technological experiences for their clients.
The hope for the program has been to forge a stronger relationship with consumers, who in recent years have relegated the brand to the bunch of "people who love to hate".  "We are opening … next to the apples and Sephoras and Ultas. We want to be where customers buy, "said Tom DeVito, Senior Vice President of Retail Sales and Service, Tom DeVito.
Which is not a terrible idea, but if Comcast does not keep consumer data secure, they will not have many customers. He went to buy with them.
Comcast has removed the option from his website.