Following the discovery and subsequent fixing of a security flaw with Comcast‘s login portal earlier this month, it appears that Spectrum customers were also vulnerable to hacking through their internet service provider.
Security researchers Phobia and Nicholas “Convict” Ceraolo uncovered the issue, which allowed anyone to hack into Spectrum customers’ accounts without a password, BuzzFeed News reports. A customer’s IP address and a little social engineering could give hackers access to a user’s email, billing address, or phone number. (That is, with a user’s IP address, a hacker could contact customer service and glean other information about a user.) With that information, a hacker could gain additional information, such as log-in details or financial data, through an accurate-looking phishing email.
Charter acquired Time Warner in a merger in 2016, and their customers now fall under the Spectrum brand. However, customers still use the My TWC app, and a subset of pre-merger customers who lacked an access ID were vulnerable to having their MAC address stolen. The page where users could create an ID was the center of this security issue. There, a hacker could swap their IP address with the customer’s and proceed through the account verification and profile creation process, even if some information (such as the user zip code) was incorrect. Only the phone number needed to be accurate, and trial and error could eventually find the correct phone number if it wasn’t previously known.
Luckily, vulnerability doesn’t appear to have been exploited in the wild, according to Spectrum’s parent company Charter Communications. Charter Communications addressed the issue when the researchers brought it to their attention.
“We investigated and quickly implemented a fix to the vulnerability that was brought to our attention,” Charter Communications spokesperson Francois Claude told Buzzfeed News. “We continue to investigate, but at this time have no reason to believe this vulnerability was ever used beyond the security researchers who reported it to BuzzFeed.”
H/T BuzzFeed News