Simple Website Security Flaw Exposes Data Of Charter Internet Customers

Liquid Telecom
Share this

A Website Security flaw discovered in the site of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of its customers.

Security researcher Eric Taylor discovered the cable provider’s vulnerability as part of his research, and demonstrated how a simple header modification performed with a browser plug-in could reveal details about Charter’s Internet subscribers. After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.

The vulnerability could reveal personal information of “millions” of the company’s subscribers, claimed Taylor, chief information officer for Cinder, an Internet startup. But a spokesperson for Charter told Fast Company that “the vast majority of Charter customers use a version of the site on which this security vulnerability was not an issue,” and that the number of customers affected was less than one million. The company is auditing its systems, he said, and has so far “seen no evidence of any password or data hacks.” The exposed data did not include credit card numbers.

Taylor, 18, discovered the issue with his colleague Blake Welsh, after recently finding a similar vulnerability in Verizon’s online customer service system. Luckily for Verizon, he said, that flaw “only exposed user IDs, phone numbers, and device names.” But the amount of user information exposed in Charter’s case, Taylor said, was “way way way more.”

Sensitive account information exposed by the simple hack includes payment details, modem serial numbers, device names, account numbers, home addresses, and more.

With 4.7 million residential Internet customers, Connecticut-based Charter is the nation’s fourth-largest cable operator. The company announced Monday it’s going through with a $10.4 billion deal to acquire Si Newhouse Jr.’s Syracuse, N.Y.-based Bright House Networks, the nation’s sixth-largest cable company. The deal will expand Charter’s customer base by more than 2 million, bumping its rank to the third-largest cable operator in the country.

How A Hacker Could Impersonate Subscribers

Charter’s site identified its customers through their IP addresses, akin to the way automated customer support hotlines identify customers by their phone numbers when they call. Thus, obtaining a subscriber’s IP address is all an attacker would need to see their account details. (IP addresses are the unique numbers for all Internet-connected devices and applications, and are increasingly easy to gather.)

Using a lightweight add-on for Firefox to modify HTTP headers, called “X-Forwarded-For Header,” a Website Security attacker essentially could pass off a Charter customer’s IP address as their own. The plug-in, as its description explains, “Inserts a X-Forwarded-For field into the HTTP Request header. Some servers look at this field to identify the originating IP address.”

Such a trick can be easily automated, not unlike a vulnerability that Andrew “weev” Auernheimer used to glean 114,000 iPad users’ email addresses from AT&T’s website in 2010.

“In theory, anyone with minor programming skills could code an automated program that scans every Charter IP and returns the customers billing info,” Taylor explained. Because ISPs like Charter distribute Internet services through blocks of IP addresses, an ambitious hacker could have incrementally added the number 1 to the end of a targeted address and see a different Charter customer’s account details each time.

“Personal information leakage as a result of such a Website Security vulnerability opens customers up to being attacked on other services such as email providers, cellular providers, and work-related functions with many untold consequences,” said Hector “Sabu” Monsegur, a former black hat hacker and security consultant.

After using a subscriber’s IP address to make the simple header modification, visiting a generic URL on Charter’s website to request a forgotten user name exposed a pre-filled form containing that user’s last name and home address data:…..Adapted from fastcompany.com

Share this

Related posts

Leave a Comment