dslreports logo
 story category
Charter Website Flaw Exposed Customer Information

18 year old security researcher Eric Taylor has found a security vulnerability in Charter Communication's website exposing the personal data of around a million users. Speaking to Fast Company, Taylor stated that a simple header modification performed with a browser plug-in could reveal details about Charter broadband customers.

Click for full size
Taylor was the same person that discovered a similar vulnerability in Verizon's website earlier this month, and the same vulnerability in Comcast's systems back in 2013.

While the Verizon vulnerability "only" exposed user IDs, phone numbers, and device names, the Charter flaw exposed "way way way more" personal data. Like Verizon, Charter's website identified Charter customers by IP address, which made spoofing an identity a relatively trivial affair:
quote:
Using a lightweight add-on for Firefox to modify HTTP headers, called "X-Forwarded-For Header," an attacker essentially could pass off a Charter customer's IP address as their own. The plug-in, as its description explains, "Inserts a X-Forwarded-For field into the HTTP Request header. Some servers look at this field to identify the originating IP address."
While credit card numbers weren't exposed, payment details, modem serial numbers, device names, account numbers and home addresses were. In a statement Charter insisted that around 1 million of the company's 5.9 million customers were impacted by the flaw.
view:
topics flat nest 

Suntop
Wolfrider Elf
Premium Member
join:2000-03-23
Fairfield, MT
·T-Mobile
Netgear R6400
Netgear WNR1000
Netgear WNDR3400

1 recommendation

Suntop

Premium Member

Typical

When will these companies realize that personal information like Home Address, names and such should be as secured as the credit card numbers are in that system. Does it cost them a lot of money to program their systems to do so? Or are they just cutting corners? And an 18 year old found this out? It makes me wonder if a malicious teenager found out what could of happened?

Why are cable companies so damned screwy lately? I mean even Comcast was in the news again too over their alarm system that they YES yet again contracted out.... And then to avoid getting sued they put in a clause that holds them harmless if some homicidal maniacs come in and attempt to kill a loved one. Like in the Seattle area. It is like these cable companies do not care about customer safety. Who knows how many people now have their houses watched by dangerous individuals looking to cause mayhem? They have their addresses. Sure someone found this out and reported it but what happened BEFORE THEN?

I hope people are watching out for their safety.

Come on cable companies WAKE UP and protect your customers. They pay your wages and bills!
crooked
join:2000-07-29
Durham, NC

crooked

Member

Re: Typical

It's cheaper to deal with the PR repercussions of the info leaking than it is to actually build security into their tech :s
DigitalManny
join:2014-01-08
Glendale, CA

DigitalManny

Member

Is this really news?

Charter is probably the only cable company who is far behind in any tech such as their site, streaming apps and their DVRs which still use those 90s cable guide.

tshirt
Premium Member
join:2004-07-11
Snohomish, WA

1 recommendation

tshirt

Premium Member

It was bad enough...

...when this flaw first showed up at Comcast in 2013, but to find out in 2 years neither Verizon nor Charter IT security checked their own networks for the (now)KNOWN flaw?
neither is so small or struggling that they couldn't have a regular, proactive, penetration/vunerability testing programs... certainly for all known flaws as well as in house and outreach to "security researchers" or even script kiddies of any age could report (and even be rewarded) for finding new unknowns.
iwinrar
join:2010-03-18

1 recommendation

iwinrar

Member

Re: It was bad enough...

What is even sadder is no other security team bothered to check and it took them 2 years to find it. For all we know some blackhats did check and they had access for 2 years.

The_ANoN
@charter.com

The_ANoN

Anon

Smh

Yet another reason why Charter just might be the worst cableco in the US...theyre horrible!

cork1958
Cork
Premium Member
join:2000-02-26

cork1958

Premium Member

Re: Smh

I don't know about the worst cableco in the U.S. but they have always been a day late on everything they've ever done compared to anyone else!

chartersucks
@mycingular.net

chartersucks to The_ANoN

Anon

to The_ANoN
And these clowns want to buy time warner