Saini and Stevenson found that they only needed a customer ID and house or apartment number (not the full address) in order to force the website to deliver the information. This, in spite of the fact that the form did request a full address. This information can be obtained from a discarded bill, or if an attacker only has the ID, they can guess a house/apartment number.
ZDNet was able to confirm that the bug indeed returned home addresses, as well as Wi-Fi username and password information in plain text. For one user they tested who didn’t use Xfinity’s router, the website returned the home address but not the username or password of the Wi-Fi network (another reason to always use your own router). If this wasn’t bad enough, it’s possible someone could have used this method to rename a Wi-Fi network or change the password, locking someone out of their own network.
Comcast is aware of the issue and has removed the option from its website. “There’s nothing more important than our customers’ security,” a Comcast spokesperson told ZDNet . “Within hours of learning of this issue, we shut it down. We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.” Still, considering that the service just introduced its mesh routers last night , the timing of this discovery isn’t great. It’s good that the company acted quickly, but it doesn’t change the fact that this breach of security happened in the first place.