A seldom known page on Comcast’s Xfinity website was exposing customers’ account information to anyone — or any app — on a customer’s network.
An anonymous security researcher dropped ZDNet an email, explaining that an API used by the internet giant could be tricked into returning customer data, including account numbers, a customer’s home address (which can be used to pinpoint a person’s location), account type, and any services enabled on the line, including if a home security setup is active.
The API was used as part of the Xfinity’s website to help customers find stores and get account information. Because the API only returns data when it recognizes an Xfinity customer’s IP address, accessing a line owner’s customer data requires someone to already be on a customer’s network.
Will Strafach, a mobile security expert, and Corben Leo, a security analyst, independently reproduced and verified the findings. Comcast shut down the API after ZDnet contacted them.
“There’s nothing more important than our customers’ privacy and security,” said a spokesperson. “As soon as we became aware of this situation, our engineers turned the feature off, which could only be accessed within a customer’s home or while logged into the customer’s Wi-Fi network.”
“We have no reason to believe that anyone’s account information was improperly taken or used,” said the spokesperson, citing no evidence.
It’s the second Xfinity security issue in as many months.