
A Comcast Security Flaw Exposed Millions of Customers’ Personal Information - minimaxir
https://www.buzzfeednews.com/article/nicolenguyen/a-comcast-security-flaw-exposed-millions-of-customers
======
meowface
The address exposure vulnerability is really, really bad. Just about anyone
was able to impersonate another Comcast customer by sending their home IP
address in the X-Forwarded-For header to Comcast's device activation page, and
easily see a masked version of their address (first number of street number
and partial street name; street name is trivial to figure out with IP
geolocation, street number would need some trial and error).

I wonder how many Comcast customers were doxed with this method before it was
fixed.

~~~
shawn
So, at the risk of getting murdered for this sentiment: Who cares? So what if
someone knows your address?

I guess it's a bigger problem for celebrities or for those who are targeted.
But even then, the police are there. Just call them.

I'm trying to understand the other side of this.

~~~
arzel
The information you obtain from vulnerabilities like these are used to obtain
“original” social media accounts, and are then sold for a lot of money. To
define what “original” is, take for instance “@shawn” on Instagram or Twitter.
When these people target celebrities, they are mainly looking for a laugh and
believe their “method” is about to be patched.

For example, T-Mobile and Verizon vulnerabilities are used to SIM swap and get
around 2FA on instagram or twitter. Usually, they first try to find an
employee who works at the store and has access to the database, before going
through all the trouble of finding a vuln.

This has been an “underground” space for quite some time, but is slowly coming
to light.

Source: I use to be in this space and made so much money off original
usernames. To give you an idea of what a username goes for, I sold the
Instagram @b*ss for $20,000.

~~~
komali2
How do users in this space securely transfer money without the FBI kicking
down their door the next day?

------
bpchaps
About two years ago, I spoke with Comcast's CISO over the phone about a leak
of a sysadmin's home directory. It included private keys, log files, configs,
licensed binaries, splunk(!), etc etc. A week before, her staff told me that
they were going to use the chance to offer me a bug as part of a non-existent
bug bounty, which didn't (and doesn't) exist.

She (paraphrased) told me that since it wasn't a "bug", it didn't deserve a
bounty as part of a bug bounty program. She followed that dribble by saying
that for them to implement a bug bounty program would be _far too expensive_
because it would lead to them having to fix all of the security flaws at
Comcast. No joke.

Dear Comcast: put out a fucking bug bounty!

------
cptskippy
Comcast leaks different bits of information in all sorts of ways. It would be
relatively easy to combine the information they leak with public records to
gain access to someone's account. This is just icing on the cake.

You can identify addresses that are Comcast customers simply by going to their
website and shopping for service. If you enter in the address of an existing
customer, it tells you.

You can cross reference this with open records like tax and voter registration
to determine who lives their and potential phone numbers.

You can confirm the owner of the account by using Comcast's bill pay without
login feature. It allows you to specify a street address and telephone number
to view/pay a bill. And based on the bill amount you might be able to
determine which services they're subscribed to.

If the person is renting equipment then they'll be broadcasting a hotspot that
other customers can log into and use unless they're savvy enough to disable
it. That could be used to determine their IP address.

Those are just the ones I know about off the top of my head. I'm sure there
are many more.

------
confounded
If you have an independent local ISP, _use them_!

In SF both Monkey Brains and Sonic are excellent, pro-Net-Neutrality, pro-
privacy ISPs who offer non-exploitative contracts for internet access which is
unfiltered, blazingly fast, and incredibly cheap!

~~~
woolvalley
When I brought up those two ISPs to coworkers, they said they experienced
frequent enough outages. Do you use them? What has your experience been like?

~~~
jdblair
Sonic quality depends on the quality of the AT&T wiring to your home. At my
old house in Oakland, Sonic meant 3mbit DSL because AT&T had not updated the
old twisted pair. It meant I bailed and signed up for Comcast.

My new place in San Jose has fiber to the premise, so I signed up for Sonic
again. Good bandwidth, Rock solid service.

~~~
medmunds
In SF, at least, Sonic has started stringing their own fiber. But it’s not in
every neighborhood yet, and even in places where they are installing fiber,
some streets may be left dark, (Including, frustratingly, a big swath of
Portrero Hill where the utility poles are “overloaded”.)

If you’re in a larger building (15+ units), there are a couple of other fiber
providers that may be an option, if building management is up for it.

MonkeyBrains is a wireless ISP. I regularly get 25-40 Mbps from them (though
they don’t guarantee that). I’ve had only occasional slowdowns and one outage
lasting a few hours. (So, more reliable than Comcast had been, at least for
me.) I’d heard rumors MonkeyBrains was planning some equipment upgrades that
would let them deliver 60-80 Mbps, but no official announcement or timetable.

------
CaliforniaKarl
Does US federal or California law mandate that breach notifications be sent by
postal mail? If not, then I wouldn’t be surprised if Comcast sends any/all
notifications to people’s Comcast email addresses. That’ll be a good way to
bury the notification, since I doubt many people check or forward their
Comcast email.

~~~
lmkg
Actual legal text on CA data breach law from the following link. Notification
requirements are near the bottom, starting with the section labeled "(j) For
purposes of this section, “notice” may be provided by one of the following
methods:"

[https://leginfo.legislature.ca.gov/faces/codes_displaySectio...](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82)

Email notice is an option if meeting the restrictions listed in the Federal
law linked below. I think the relevant part is section (c), with the major
restriction being "affirmative consent."

[https://www.law.cornell.edu/uscode/text/15/7001](https://www.law.cornell.edu/uscode/text/15/7001)

Alternatively if the breach affects over half a million people, they can send
notifications by email, but also have to plaster their homepage and send
"Notification to major statewide media." The homepage banner would only affect
people who pay electronically but not by autopay. There are ways to minimize
the effect of news broadcast, e.g. send the press release at 4 o'clock on a
Friday when no one watches the news.

So, it's not quite as easy as you think but Comcast does have options to
minimize the impact of notification.

------
ryanlol
This exact same bug existed and was widely exploited 4-5 years ago.

------
King-Aaron
I know shitposting is completely frowned upon here, but I can't help but have
the image of that South Park comcast guy in my head right now. "Oh, you had
your personal address and social security numbers stolen? Ooh that's too bad.
"

~~~
shawn
[https://www.youtube.com/watch?v=rja7tCtxSN4](https://www.youtube.com/watch?v=rja7tCtxSN4)

It fits too well.

------
Paul-ish
Meanwhile, DirectTV still requires SSN to sign up. Until something changes,
(create a liability?) this will keep happening.

~~~
smelendez
It is a hard problem for all these companies. How else do you authenticate
someone remotely?

~~~
Paul-ish
Why do you need to authenticate someone to sign them up for your service?
Shouldn't a CC, name, and address be enough?

------
D-Coder
Can we send Comcast a bowling ball? An undrilled one? I'd love to see how they
fsck that up.

------
eric_b
There was no mass exposure of sensitive data. Two paths existed for determined
attackers to get the home address and possibly SSN for individually targeted
accounts. The process was manual and would have been difficult to automate to
compromise "millions" of accounts.

Based on the details in the article, this sounds like something that needed to
be fixed, but probably not even worth the time to write this article.

~~~
meowface
Strongly disagree. This effectively granted anyone with basic HTTP knowledge
the ability to dox anyone they interact with online, if that person is using
Comcast. The attacker does not need to be "determined" at all; it's trivial to
get someone's IP address (send them a link of any kind) and with this
vulnerability, trivial to find most of their home address. In short, some
asshole kid could send a SWAT team to your house just by knowing your IP
address, with not many steps in between.

The SSN last 4 digit bruteforcing is really bad, too. I'd say arguably not as
bad, since it's not very hard to get most people's SSNs on black markets these
days.

This is not a breach, but these are two massive vulnerabilities and deserves
many articles.

~~~
btilly
There is no shortage of asshole kids who use SWAT teams in exactly that way.
See
[https://en.wikipedia.org/wiki/Swatting#Injuries_or_deaths_du...](https://en.wikipedia.org/wiki/Swatting#Injuries_or_deaths_due_to_swatting)
for a list of some notable cases.

~~~
meowface
Absolutely, but this exposure made it much easier to do en masse, plus made it
possible to dox targets who otherwise have good OPSEC and aren't easily
identified.

