Hacker News new | comments | ask | show | jobs | submit login
A Comcast Security Flaw Exposed Millions of Customers’ Personal Information (buzzfeednews.com)
256 points by minimaxir 6 months ago | hide | past | web | favorite | 74 comments

The address exposure vulnerability is really, really bad. Just about anyone was able to impersonate another Comcast customer by sending their home IP address in the X-Forwarded-For header to Comcast's device activation page, and easily see a masked version of their address (first number of street number and partial street name; street name is trivial to figure out with IP geolocation, street number would need some trial and error).

I wonder how many Comcast customers were doxed with this method before it was fixed.

You know its almost trivial to buy millions of people's full names, addresses, estimated income, etc., from legit data brokers right? It's how credit card start-ups know who to send direct mail to and it's 100% legal.

This is different though, no?

Say you go post on Infowars anonymously (but not through Tor/VPN/Proxy). They can now know where you live.

Of course the address is public. The relation between your IP address and your actual address isn't...

Yeah, that is indeed very differenr and troubling. I misunderstood.

This is very different. This is when you want to target a specific individual and are capable of attaining their IP address, but otherwise know none of their personal information. This, for example, greatly empowers SWATers.

So, at the risk of getting murdered for this sentiment: Who cares? So what if someone knows your address?

I guess it's a bigger problem for celebrities or for those who are targeted. But even then, the police are there. Just call them.

I'm trying to understand the other side of this.

I’m close with someone who actively keeps her address from public records to keep an old stalker from finding her.

The psychological effect of having someone treat you like an object, repeatedly hunt you down after moves, and gaslight you/landlords/cops into believing it’s not happening is harmful as it is—let alone the not-so-unlikely chance that someone with this high degree of intelligence and mental health issues will physically hurt you if they find you.

There’s not much you can do besides a paper restraining order. By the time the cops come it’s too late.

This possibility is a very real part of many people’s lives, but maybe less talked about with men like me because statistically female victims are more common.

There’s not much you can do besides a paper restraining order. By the time the cops come it’s too late.

The cops don't have a specific obligation to "come" to help you. Nor to enforce a restraining order.

https://en.wikipedia.org/wiki/Warren_v._District_of_Columbia https://en.wikipedia.org/wiki/Town_of_Castle_Rock_v._Gonzale...

Everyone should read those two Wiki entries. The law often isn't what people think it is.

OTOH if someone breaks into your house and you smoke 'em, then in most states you're in the clear, even without a restraining order.

I know that's not what most people here want to read, but it is "the law of the land" in terms of legal precedent.

The information you obtain from vulnerabilities like these are used to obtain “original” social media accounts, and are then sold for a lot of money. To define what “original” is, take for instance “@shawn” on Instagram or Twitter. When these people target celebrities, they are mainly looking for a laugh and believe their “method” is about to be patched.

For example, T-Mobile and Verizon vulnerabilities are used to SIM swap and get around 2FA on instagram or twitter. Usually, they first try to find an employee who works at the store and has access to the database, before going through all the trouble of finding a vuln.

This has been an “underground” space for quite some time, but is slowly coming to light.

Source: I use to be in this space and made so much money off original usernames. To give you an idea of what a username goes for, I sold the Instagram @b*ss for $20,000.

How do users in this space securely transfer money without the FBI kicking down their door the next day?

Wow, this is a fascinating answer. Thanks for sharing.

How did you get that username?

The police? That sounds like a very ineffective solution. People aren't safe because of the police, they're safe because of the trustworthiness of their neighbors. The police can't be there to intercept most crimes; instead they show up to write a report post-fact. But at that point, you're calling the police for documentation of a crime for insurance.

Police can't be there to intercept the metaphorical brick through your window. The reason why we feel safe walking outside everyday is because of the fabric of trust in our community.

> But even then, the police are there. Just call them.

Uh, isn't that the exact problem? Once someone knows your address you're a voip call away from swatting.

Ah, yeah, I completely forgot about swatting. Good point. The sooner that problem gets solved, the better.

> The sooner that problem gets solved, the better.

We could just stop having SWAT teams. The events that supposedly justify them are so exceedingly rare that most members of SWAT teams go their entire careers without ever seeing one. But once they exist they get used for all kinds of routine operations that don't actually require them, where all they do is raise tensions and unnecessarily escalate matters.

There is a reason there is supposed to be a hard wall between the police and the military. If you really need a military presence, the governor can call in the National Guard. But when does that happen? Even they mostly end up getting called in for hurricane relief and that sort of thing.

The National Guard is called in when the local police force kills innocent civilians.

In many jurisdictions, the police will do little or nothing until a crime is committed. It's possible to experience a life-altering amount of harassment before the police will intervene in any meaningful way.

Think of it this way: Two people are playing an online game, and one gets mad at the other. He or she then sends a link to an image or something else to the player they are mad at, effectively siphoning off their IP address. By using this flaw, it could make it trivial to find their real address if it was a comcast customer, and send the SWAT team to their house.

Finding a location by IP address is not always reliable. The first result when googling my IP address yields a city 1,000 miles away (other results have the correct city). Then, knowing the first digit of a street address gets you a range of addresses that can represent anywhere from 1 to hundreds of homes. It's theoretically possible to get a specific address from this method but it's unlikely and not reliable.

The point of the article is that you could essentially get the exact address house address from just the IP of a Comcast customer

Right, and my point is that you essentially can't. For my address the best you could do is narrow it down to ~30 or so homes that share the same first digit as my address. For this to work you have to:

(1) Have the IP address return the right location

(2) Not have duplicate street names in that location

(3) Have a single digit address OR be the only home starting with that number

That's going to be a pretty rare combo. Probably less than 1%.

They'll be able to narrow it down to 10-30 homes, but from there they can see who owns those homes, research those people on social media etc., and determine who their likely target is.

If you operate any kind of Bitcoin related service where someone discusses their wealth (message board, wallet provider, etc), then being able to turn an IP address into a physical address could have resulted in very lucrative forced-entry events where threat of force was used to leverage private keys.

How is this different than just breaking into houses in rich neighborhoods?

Most rich people don't have huge volumes of cash or anything as liquid as Bitcoin lying around.

I'm actually with you to a degree - but on the flip side, should we expect repercussions for something like this? Should we just be ok with it? As an industry we tend to play it pretty fast and loose compared to other engineering disciplines.

The "other side" consists of:

- a select few with good reasons to avoid their address being widely known. Because stalkers etc.

- All those infsec bros with their "attack vectors" and their "threat landscape". They'll scream "security by obscurity" when you're using an unlisted URL to share holiday photos, but get really miffed if someone finds out where they live, or where they go running.

OK, I bite. Please post your current home address.

I was thinking that exact thing in the name of experimentation. A sort of "Please come harass me, I want to see what people have to deal with."

I think that scenario was what happened with one of the more recent swattings in the news.

Person A and Person B are getting hot and bothered about something stupid. Person A says "come at me bro, here's my address." Person A gave Person B Person C's address instead.

Person B swatted Person C. Person C had no idea what was going on, went outside, maybe panicked, maybe whatever, but Person C was shot and killed because SWAT had no idea.

I believe A and B were arrested, but usually the cops don't get lucky. They couldn't find the idiot who tried swatting me, but they don't exactly have a ton of resources either.

Shit's scary, especially since it can happen anytime.

> The address exposure vulnerability is really, really bad

I have the President of the United States' address. 1600 Pennsylvania Avenue. Oh no! I done dox'd him!

Exposing information about someone that is largely already public is somewhat bad, but it's not "really, really bad". And it's certainly not worse than exposing the last 4 of their SSN.

There are many ways to dox people. If you have a specific target, you probably know their name; if not, you can phish it, and any other information you want. If you have their IP, you know their ISP. With their name and their ISP, and maybe some extra info gleaned from various sources like social media, you can get pretty much anything you want. Account access, phone numbers, billing information, socials, etc. With their phone number you can take over their phone, and then all their SMS-linked accounts.

Is this scary? Yes. Did I need to slowly extract their home address using a vendor's web form and their IP? No.

The last 4 of the social is much worse. It makes all of this incredibly easy and gives access to much more sensitive information, like medical records, payroll, government service information, etc.

> I have the President of the United States' address. 1600 Pennsylvania Avenue. Oh no! I done dox'd him!

If only we all had access to the Secret Service. Lots of modern games make use of P2P behind the scenes (e.g. for voice chat), which means that maladjusted script kiddie I just sniped already has my IP and might decide to forego DDoSing me and skip straight to calling in a hostage situation at my home address. Being able to easily resolve a concrete address from an IP is certainly a bigger deal than being able to determine its ISP.

This is sad but exposed the actual problem: militarization of our police. Of course, that is a completely different problem.

The last time I mentioned how disciplined our military was compared to seemingly trigger happy police though someone said quietly to let the military our of the barracks and live in my neighborhood as well as occupy public space everywhere within the country and my opinion will change within a few years. I suspect this is true. I don't have any solutions to this militarization, just wanted to point out that doxxing isn't there real problem but rather the swatting is.

> just wanted to point out that doxxing isn't there real problem but rather the swatting is.

The problem is that SS7 still allows anyone and their dog to spoof phone numbers. Swatting will always work because a (real) hostage situation is among the worst things that can happen for police, the others being terrorist attacks and serial killers.

Swatting can only be prevented reasonably by fixing telephony signalling and throwing the ones doing it into jail for a couple of years.

And just for the parent to your comment.

> Swatting will always work

Because ALSO most forces can't spend the money to train their police in hostage situations. It isn't just giving them big "toys" that they want to play with. It isn't that they aren't trained. It is that it is impractical to train them.

How do medical doctors handle this? Do we train doctors for rare/exotic diseases in medical school? Do we expect them to spend time off duty to educate/train themselves?

I get that it is impractical for Olathe Kansas to train all it's police force in hostage negotiation and deescalation when most likely none of the force will ever use it but what is the alternative? We can't just bus the same negotiation team across the country every time. If we could, EPA wouldn't have its own armed servicemen, right? Also there wouldn't be a Port Authority Police Department in POrt Authority of New York and New Jersey, right?

Basically, I imagine if you wear the equipment and gear for seat, you must be trained for it and we'll qualified in it. If not, then don't carry the gear. No?

Strongly disagree here.

> Exposing information about someone that is largely already public

A home address may be public, but the connection between that address and online activity, like posts on reddit / HN / some forum (political? fetish/porn? extremist? etc etc), is very much not public. Last 4 of social is not uniquely identifiable, but a (partial) home address almost is.

> If you have a specific target, you probably know their name

Not if they're being careful, like anyone would be if they don't want their posts online mapped back to them. But now you can DM them a link (or email them an image if you have an email address or redirect) and turn their IP into a home address. That's very bad.

Doxing someone isn't just exposing an arbitrary address, it's connecting a purportedly anonymous online account with personally identifying info.

Going back to the president, what if you could find out that some angry anonymous person posting racial slurs online was actually the POTUS? That is doxing.

It's still not that difficult to trace an IP back to a person. Besides the private marketing databases you can tap into, geoip, crappy ISP support, DNS cache poisoning, phishing, consumer internet router hacking, web service hacking, and other attacks on an address space itself, there's attacks in a social space that give away much more.

Saying this is a really bad vuln because you aren't as private as you think you are online is like saying lock picking is a really bad vuln because you didn't know door locks could be opened by anyone with a bent piece of metal or a shaved down key. Locks don't actually keep bad people out. They just make people feel safe. Same with this idea that your IP is anonymous. It's really not. It's a literal address.

> Going back to the president, what if you could find out that some angry anonymous person posting racial slurs online was actually the POTUS? That is doxing.

While I agree with your general sentiment, I hope you appreciate the irony of this particular example.

Yeah. Homeowner in Seattle? http://gismaps.kingcounty.gov/parcelviewer2/ has your address publically available, unless you made special plans to purchase with an LLC or something. (And you probably need to be sure your LLC's mailing address is a PO box as well.)

That's beside the point. Resolving parcel numbers to owners is also problematic, likewise resolving license plate numbers to owners (used to be possible in Switzerland), but we're talking resolving IP addresses to owners. I wonder how many porn sites could blackmail viewers, or Honeypot mpaa operatos could sue torrent users more easily...

> likewise resolving license plate numbers to owners (used to be possible in Switzerland)

Still is, depending on the canton. For Zürich you get 5 lookups per day per IP[0]. For other cantons they might charge you a swiss franc or so [1]. Cantons that charge 10-20 CHF and require a reasoning for why you need this data are in the minority.

[0] https://stva.zh.ch/internet/sicherheitsdirektion/stva/de/StV...

[1] https://www.linker.ch/eigenlink/autonummern_index.htm

It sounds like you think we disagree, but we don't disagree. Parcel lookup is just an interesting public information database many people are unaware of — so I felt it was worth sharing.

"Honeypot mpaa operatos could sue torrent users more easily"

Irrelevant, since Comcast already hands this information over to such parties willingly.

About two years ago, I spoke with Comcast's CISO over the phone about a leak of a sysadmin's home directory. It included private keys, log files, configs, licensed binaries, splunk(!), etc etc. A week before, her staff told me that they were going to use the chance to offer me a bug as part of a non-existent bug bounty, which didn't (and doesn't) exist.

She (paraphrased) told me that since it wasn't a "bug", it didn't deserve a bounty as part of a bug bounty program. She followed that dribble by saying that for them to implement a bug bounty program would be far too expensive because it would lead to them having to fix all of the security flaws at Comcast. No joke.

Dear Comcast: put out a fucking bug bounty!

Comcast leaks different bits of information in all sorts of ways. It would be relatively easy to combine the information they leak with public records to gain access to someone's account. This is just icing on the cake.

You can identify addresses that are Comcast customers simply by going to their website and shopping for service. If you enter in the address of an existing customer, it tells you.

You can cross reference this with open records like tax and voter registration to determine who lives their and potential phone numbers.

You can confirm the owner of the account by using Comcast's bill pay without login feature. It allows you to specify a street address and telephone number to view/pay a bill. And based on the bill amount you might be able to determine which services they're subscribed to.

If the person is renting equipment then they'll be broadcasting a hotspot that other customers can log into and use unless they're savvy enough to disable it. That could be used to determine their IP address.

Those are just the ones I know about off the top of my head. I'm sure there are many more.

If you have an independent local ISP, use them!

In SF both Monkey Brains and Sonic are excellent, pro-Net-Neutrality, pro-privacy ISPs who offer non-exploitative contracts for internet access which is unfiltered, blazingly fast, and incredibly cheap!

If only it was that easy. I can't remember which was which, but one company needed to put an aerial on the roof which my landlord rejected (even though it would save the 15 tenant units here shitloads of money), and the other one simply didn't have lines to our unit, and this is right on Russian hill so pretty Central SF in my opinion.

Comcast has a functional monopoly in my area, and that has been true my entire life except when I lived abroad. Our suburban home in Wisconsin, and again in South Carolina. Five different homes in Houston. Three in California. I shudder to think about the amount of information Comcast has on me, particularly if they snoop my network activity.

How do I know if I have an independent local ISP? I only see a large ISP advertising in my area.

Advertising is rarely a good way to learn anything.

I heard about Monkey Brains from a pal. From a quick search, the only comparison site that seems to mention them is Yelp.

broadbandnow.com lets you see all Internet providers in your area

> If you have an independent local ISP, use them!

Lol If only. I can't remember the time I rented an apartment and had even an option other than a monopoly like Comcast. I've literally never seen it available in the midwest. You always just have the single choice, sadly.

When I brought up those two ISPs to coworkers, they said they experienced frequent enough outages. Do you use them? What has your experience been like?

Sonic quality depends on the quality of the AT&T wiring to your home. At my old house in Oakland, Sonic meant 3mbit DSL because AT&T had not updated the old twisted pair. It meant I bailed and signed up for Comcast.

My new place in San Jose has fiber to the premise, so I signed up for Sonic again. Good bandwidth, Rock solid service.

In SF, at least, Sonic has started stringing their own fiber. But it’s not in every neighborhood yet, and even in places where they are installing fiber, some streets may be left dark, (Including, frustratingly, a big swath of Portrero Hill where the utility poles are “overloaded”.)

If you’re in a larger building (15+ units), there are a couple of other fiber providers that may be an option, if building management is up for it.

MonkeyBrains is a wireless ISP. I regularly get 25-40 Mbps from them (though they don’t guarantee that). I’ve had only occasional slowdowns and one outage lasting a few hours. (So, more reliable than Comcast had been, at least for me.) I’d heard rumors MonkeyBrains was planning some equipment upgrades that would let them deliver 60-80 Mbps, but no official announcement or timetable.

I use Monkey Brains. I have very occasionally experienced a momentary drop in connectivity which immediately recovered. These have been less frequent than the times I had to call up Comcast and debug an outage over the phone.

See dslreports for up to date local isp speed and reliability records.


sonic.net (and pair.com, for hosting) are two companies where I have always been delighted on the few occasions when I had to call tech support, due to the intelligence and effectiveness of the people on the other end of the line.

It's just such a pleasure to talk to someone who is actually listening to and thinking about your problem, instead of simply reading from a script.

Does US federal or California law mandate that breach notifications be sent by postal mail? If not, then I wouldn’t be surprised if Comcast sends any/all notifications to people’s Comcast email addresses. That’ll be a good way to bury the notification, since I doubt many people check or forward their Comcast email.

Actual legal text on CA data breach law from the following link. Notification requirements are near the bottom, starting with the section labeled "(j) For purposes of this section, “notice” may be provided by one of the following methods:"


Email notice is an option if meeting the restrictions listed in the Federal law linked below. I think the relevant part is section (c), with the major restriction being "affirmative consent."


Alternatively if the breach affects over half a million people, they can send notifications by email, but also have to plaster their homepage and send "Notification to major statewide media." The homepage banner would only affect people who pay electronically but not by autopay. There are ways to minimize the effect of news broadcast, e.g. send the press release at 4 o'clock on a Friday when no one watches the news.

So, it's not quite as easy as you think but Comcast does have options to minimize the impact of notification.

To be fair, I dont read physical mail from Comcast either. I'm constantly flooded with junkmail from them.

This exact same bug existed and was widely exploited 4-5 years ago.

I know shitposting is completely frowned upon here, but I can't help but have the image of that South Park comcast guy in my head right now. "Oh, you had your personal address and social security numbers stolen? Ooh that's too bad. "

Meanwhile, DirectTV still requires SSN to sign up. Until something changes, (create a liability?) this will keep happening.

It is a hard problem for all these companies. How else do you authenticate someone remotely?

Why do you need to authenticate someone to sign them up for your service? Shouldn't a CC, name, and address be enough?

Can we send Comcast a bowling ball? An undrilled one? I'd love to see how they fsck that up.

There was no mass exposure of sensitive data. Two paths existed for determined attackers to get the home address and possibly SSN for individually targeted accounts. The process was manual and would have been difficult to automate to compromise "millions" of accounts.

Based on the details in the article, this sounds like something that needed to be fixed, but probably not even worth the time to write this article.

Strongly disagree. This effectively granted anyone with basic HTTP knowledge the ability to dox anyone they interact with online, if that person is using Comcast. The attacker does not need to be "determined" at all; it's trivial to get someone's IP address (send them a link of any kind) and with this vulnerability, trivial to find most of their home address. In short, some asshole kid could send a SWAT team to your house just by knowing your IP address, with not many steps in between.

The SSN last 4 digit bruteforcing is really bad, too. I'd say arguably not as bad, since it's not very hard to get most people's SSNs on black markets these days.

This is not a breach, but these are two massive vulnerabilities and deserves many articles.

There is no shortage of asshole kids who use SWAT teams in exactly that way. See https://en.wikipedia.org/wiki/Swatting#Injuries_or_deaths_du... for a list of some notable cases.

Absolutely, but this exposure made it much easier to do en masse, plus made it possible to dox targets who otherwise have good OPSEC and aren't easily identified.

This wouldn't necessarily be about determined attackers. Maybe a crazy guy you were beefing with in an online game has your IP address, and from that could get your physical address.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact