The authentication feature is designed to make it easier for customers to access their accounts and reduce instances of password resets by letting users choose their correct home address from a displayed list of four partial addresses.
The problem is that Comcast knows the customer's correct address by looking at the webpage visitor's IP address. This method could allow an attacker to find a customer's partial address by spotting the desired target customer's IP address and repeatedly refreshing the login page.
The threat actor would then see three of the suggested partial home addresses change, while only the correct one belonging to the targeted customer would remain the same.
Another vulnerability: the feature displays the first digit of the customer's street number and the first three letters of the street where they live, with asterisks hiding all other characters. But even from this limited information, the attacker could determine the customer's city, state, and postal code using an IP lookup website.
Stevenson also found another vulnerability that could allow an attacker to brute force guess a customer's social security number using a sign-up page for Comcast's Authorized Dealers -- available via the website -- that allowed unlimited login attempts.
--
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.