The Comcast website that activates Xfinity routers has a bug that exposes customers’ personal information. As reported by ZDNet, the page for setting up home Wi-Fi and cable services can display the home address of where the router is located and give away the Wi-Fi password. Comcast learned about the bug and fixed its site shortly after the report, and it said it’s conducting an investigation.
The bug was first spotted by two security researchers who told ZDNet their findings. The website initially requests the user’s full home address in order to verify your account and register their device. But researchers found they could sidestep that requirement with a customer ID along with an apartment or house number, prompting the website to reveal the full address and Wi-Fi password.
The vulnerability is particularly severe because customer ID numbers are so easily available. A bad actor could find a target’s customer ID from a bill they’ve thrown away and simply guess the house or apartment number. The bug was confirmed by ZDNet to return home addresses and Wi-Fi login information. For one user who didn’t own an Xfinity-branded router, the bug only returned the home address.
Comcast has said in a statement: “There’s nothing more important than our customers’ security. Within hours of learning of this issue, we shut it down. At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”
Last night, Comcast also announced its new mesh Wi-Fi extender pods shortly after news of the vulnerability became public.
Update May 22nd 4:30PM ET: This article was updated with a statement from Comcast.