Skip to main content
  1. Home
  2. Computing
  3. News

Data-stealing bug prompts Comcast to shut down Xfinity activation website

By
Add as a preferred source on Google
comcast xfinity store
Ken Wolter/123rf

Two security researchers uncovered a bug within Comcast’s online activation portal that revealed a customer’s home address along with the Wi-Fi network name and password in plain text. Within hours of learning of the flaw uncovered by Karan Saini and Ryan Stevenson, Comcast shut down the Xfinity activation site, citing customer security as its top concern.

In order for customers to activate their routers, they have to visit an Xfinity activation website to enter some user information in order to setup their router and service. Saini and Stevenson discovered that even though the website asks for a customer’s full address, just an apartment or house number was needed along with an account ID. Both pieces of information required to gain access to the activation portal could easily be found on a discarded bill.

Recommended Videos

The activation portal continues to work and return information about the customer and the Wi-Fi network even after the router and home broadband service has been activated.

If a customer is using a Comcast or Xfinity-branded router, then the activation portal continues to return updated network information, so if a customer changes the network name or password, that latest information would be displayed on the activation portal. ZDNet noted that there’s no way for a customer to opt out of this system. For customers using their own router, the publication discovered that the portal doesn’t have access to the Wi-Fi network name and password to display.

On the primary level, the security concern is that customer’s network data and home address isn’t protected by requiring information that’s not readily available through an account statement. Further, once a hacker obtains the network data, they can use it in a malicious manner if they’re within close proximity to the Wi-Fi network. The network ID and password could be used to gain access to unencrypted web traffic that passes through the router. Additionally, hackers can also temporarily lock users out by changing the network name and password once they have access.

Comcast has since disabled this feature on its website to correct the security flaw. “Within hours of learning of this issue, we shut it down,” a Comcast spokesperson told ZDnet. “We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.” In a separate statement to Gizmodo, Comcast noted that it doesn’t believe that any data was improperly accessed as a result of this bug.

News of the bug comes at a time when Comcast is launching its own mesh networking accessory.

Chuong Nguyen
Chuong Nguyen
Former Computing Writer
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
Topics
Layr is a new macOS clipboard manager that replaces hotkeys with trackpad gestures
This new Mac app opens clipboard history with a four-finger tap instead of a keyboard shortcut
Cursor open on Mac

macOS users already have several clipboard manager options, including Paste and Maccy. Most of them work well, but they are usually built around keyboard shortcuts. That is useful for keyboard-heavy users, but it can feel out of place for users who rely on the trackpad for most of their work.

Layr, a new clipboard manager from the developer behind Declutr, takes a different approach. Rather than assigning a keyboard shortcut to open the clipboard history, the app lets users bring up a clipboard overlay with a four-finger tap on the trackpad.

Read more
YouTube’s AI content labels are getting a much-needed makeover
No more hunting through descriptions. YouTube's AI labels are finally moving front and center.
YouTube ai declaration longform video

This year’s Google I/O marked the transition of Google from a search company to a fully AI-focused company. The company launched several AI tools, but the one that matters the most for YouTubers is Google Omni, built for video generation and editing. 

While tools like Omni lower the barrier for creators, which is a good thing, it also results in the platform being inundated with low-effort AI content. The company understands that this will annoy a large percentage of its users, so it has been asking creators to disclose AI-generated content since 2024. 

Read more
AI models have a religion favoritism problem, and new research exposes it
AI models are subtly steering users toward certain religions, and most people have no idea it's happening.
Artificial Intelligence

A new research consortium has found something worth paying attention to: when you ask AI about grief, love, loss, or moral decisions, it almost never brings religion into the conversation.

The Consortium for Evaluation of Faith and Ethics in AI (CEFE-AI), a collaboration among researchers at Brigham Young University, Baylor University, the University of Notre Dame, and Yeshiva University, published its findings this week at the Summit on AI Ethics in Athens, Greece.

Read more