Anyone with a subscriber's account number and street address would receive the Wi-Fi name and password in plaintext on the web via Comcast's Xfinity internet activation service
This was the latest major security incident recently shutdown at Comcast. “There’s nothing more important than our customers’ security,” a Comcast representative said in a statement. “Within hours of learning of this issue, we shut it down. At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again."
Here are the details
This issue was first reported to ZDnet by security researchers Karan Saini and Ryan Stevenson. The web app was purposed to assist customers with the initial setup of their internet. The sequence was for customer to submit their data Comcast returns the router credentials while activating the service. The vulnerability that was actually created was that anyone with your account number and just your street address number, would instantly receive your router's SSID and password.
Here is the problem
An already active account can be "activated"
Minimal data is required to activate account and is not verified via email or text
The wireless name and password are sent over the internet in plaintext
Here is the affects of the vulnerability
Hackers might have potentially logged in, renamed the router's network, changed its password, and used the router however they like or simply monitor its traffic. This snafu only affects people who used a router provided by Xfinity/Comcast.
How to fix it
Unfortunately, with a problem this huge, a simple password change won't work. Comcast would have just provided the hacker with the new password. Fortunately, Comcast recently has taken down the service in question.
e-End is a leading NAID AAA Certified provider of secure data destruction of hard drives, electronic storage devices and all non-paper media, with data wipe service, hard drive degaussing service, hard drive shredding service and hard drive incineration. e-End is R2:2013 Certified to recycle a wide range of electronic equipment and devices; including PCs, servers, handheld devices, office equipment and all other electronic products. e-End destroys a wide range of equipment and devices for International Traffic in Arms Regulations (ITAR) compliance and demilitarization.