A bug in Comcast’s website used to activate Xfinity routers can return sensitive information on the company’s customers.
The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password.
Two security researchers, Karan Saini and Ryan Stevenson, discovered the bug.
Read more on ZDNet.
According to a Comcast employee who contacted DataBreaches.net, Comcast did not tell employees why it suddenly changed the site to remove that option. The option, the employee said, had been useful when the normal account activation tool did not work. He hadn’t really made the connection how it could be exploited by bad actors. “Back to the normal activation tool,” he told DataBreaches.net.