A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of its customers.
Security researcher Eric Taylor discovered the cable provider’s vulnerability as part of his research, and demonstrated how a simple header modification performed with a browser plug-in could reveal details about Charter’s Internet subscribers. After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.
The vulnerability could reveal personal information of “millions” of the company’s subscribers, claimed Taylor, chief information officer for Cinder, an Internet startup. But a spokesperson for Charter told Fast Company that “the vast majority of Charter customers use a version of the site on which this security vulnerability was not an issue,” and that the number of customers affected was less than one million. The company is auditing its systems, he said, and has so far “seen no evidence of any password or data hacks.” The exposed data did not include credit card numbers.
Taylor, 18, discovered the issue with his colleague Blake Welsh, after recently finding a similar vulnerability in Verizon’s online customer service system. Luckily for Verizon, he said, that flaw “only exposed user IDs, phone numbers, and device names.” But the amount of user information exposed in Charter’s case, Taylor said, was “way way way more.”
Sensitive account information exposed by the simple hack includes payment details, modem serial numbers, device names, account numbers, home addresses, and more.
With 4.7 million residential Internet customers, Connecticut-based Charter is the nation’s fourth-largest cable operator. The company announced Monday it’s going through with a $10.4 billion deal to acquire Si Newhouse Jr.’s Syracuse, N.Y.-based Bright House Networks, the nation’s sixth-largest cable company. The deal will expand Charter’s customer base by more than 2 million, bumping its rank to the third-largest cable operator in the country.
Charter’s site identified its customers through their IP addresses, akin to the way automated customer support hotlines identify customers by their phone numbers when they call. Thus, obtaining a subscriber’s IP address is all an attacker would need to see their account details. (IP addresses are the unique numbers for all Internet-connected devices and applications, and are increasingly easy to gather.)
Using a lightweight add-on for Firefox to modify HTTP headers, called “X-Forwarded-For Header,” an attacker essentially could pass off a Charter customer’s IP address as their own. The plug-in, as its description explains, “Inserts a X-Forwarded-For field into the HTTP Request header. Some servers look at this field to identify the originating IP address.”
Such a trick can be easily automated, not unlike a vulnerability that Andrew “weev” Auernheimer used to glean 114,000 iPad users’ email addresses from AT&T’s website in 2010.
“In theory, anyone with minor programming skills could code an automated program that scans every Charter IP and returns the customers billing info,” Taylor explained. Because ISPs like Charter distribute Internet services through blocks of IP addresses, an ambitious hacker could have incrementally added the number 1 to the end of a targeted address and see a different Charter customer’s account details each time.
“Personal information leakage as a result of such a vulnerability opens customers up to being attacked on other services such as email providers, cellular providers, and work-related functions with many untold consequences,” said Hector “Sabu” Monsegur, a former black hat hacker and security consultant.
After using a subscriber’s IP address to make the simple header modification, visiting a generic URL on Charter’s website to request a forgotten user name exposed a pre-filled form containing that user’s last name and home address data:
From there, clicking “Next” would expose the account holder’s user name.
As well, visiting a basic URL to create a new user name would allow the creation of secondary user accounts and email addresses:
After a new email address is set up, Taylor explained the subscriber’s sensitive information could be accessed via API links or viewing part of the site’s source code. “For any regular black hat that just wants to wreak havoc on a certain person, this exploit will allow them to take full control over Charter customer accounts,” said the teenage researcher.
He also theorized that such access to user information could be a sneaky way for law enforcement to “link customer billing info with nothing more than an IP address and no court order.”
“Having a serial number to customer modems could allow attackers with enough access to monitor traffic at the ISP level. It could also help rogue law enforcement agents who are looking to circumvent the justice system,” Monsegur said, adding that this type of problem is precisely what U.S. attorneys are pursuing: large corporations who fail to protect customer data.
Stewart Baker, former general counsel at NSA and assistant policy secretary at DHS under President George W. Bush, said he was skeptical that the vulnerability was meant to benefit law enforcement. “In fact, because it operates automatically and doesn’t require a subpoena, most well-advised ISPs wouldn’t adopt this as a way to give data to law enforcement.”
Baker, who hosts a podcast on cyberlaw, said the flaw might still have been intentional, “for the benefit of customer service reps who can easily do a lookup of a customer complaining about service problems. But I confess that I’m guessing.”
Charter isn’t the only company that’s left doors open to its subscriber accounts, according to Taylor. He describes the issue as a pattern he’s found with other large ISPs that identify customers by IP addresses. “I first found the same exploit in Comcast in 2013,” he said. “I would spoof my IP address and go to the ‘forgot username’ page, and it would pull up the address on file and then the user names and phone number on the account.” Taylor said he reported that bug to Comcast privately.
Cyber attacks are on the rise. A survey by PriceWaterhouseCoopers found that last year the number of detected incidents leapt 48% over 2013, to a total of 42.8 million, and the number of respondents reporting losses of $20 million or more almost doubled. In a recent report, Juniper Research warned of the rising cost that hacking poses to global industry, estimating businesses will see damages of more than 2 trillion dollars by 2019.
“Keeping our customers and network secure is priority number one at Charter,” the company spokesperson said.