A ‘Scarily Simple’ Bug Put Millions of Cox Cable Customer Accounts at Risk
Credit to Author: Louise Matsakis| Date: Fri, 05 Oct 2018 18:17:58 +0000
Cybersecurity researchers regularly disclose the bugs they find in different applications and websites across the internet. Sometimes, these vulnerabilities are incredibly complicated to exploit, evidence more of a researcher's expertise than something the average consumer should worry about. In other scenarios, analysts find simple holes that a novice could use to steal information. This is a case of the latter.
Earlier this month, a duo of researchers discovered a dead-simple insecurity on the website for Cox Communications, an US cable and internet provider with around six million customers. The problem they discovered would have allowed attackers to take over user accounts and gain access to sensitive data like billing information. Cox Communications patched the previously unreported vulnerability after WIRED reached out, and there's no evidence any customer information was compromised.
The insecurity related to how Cox Communications previously allowed customers to reset their online account passwords. In addition to answering a security question or responding to an email, people could elect to receive a phone call, with an automated voice reading them a special code. But a hacker could change the phone number associated with the account from the webpage, using only a customer's User ID or their cox.net email address, allowing them to intercept the code themselves. Then, they could reset the account and gain access to billing and other customer information. If they were simply interested in stealing information, rather than a specifically targeted attack, they could also guess random usernames.
"Cox takes the security of its customers’ accounts very seriously, and we promptly address any identified vulnerabilities. Once Cox was made aware of this issue, we acted quickly to resolve it," a spokesperson for the company said in a statement. "While our investigation continues, we do not believe this vulnerability was used outside of the test conducted by the security researcher. If individual customers were impacted, Cox will notify them."
The spokesperson declined to specify exactly what customer data may have been vulnerable, and whether every Cox customer has an online account. (It's possible only those who choose to pay their bill or manage their service online were affected.)
"Usually account takeovers have much more convoluted and complex steps, but this is the first one I discovered that was scarily simple," says Nicholas "Convict" Ceraolo, one of the security researchers, who along with his partner Ryan "Phobia" Stevenson, discovered the vulnerability. The same pair found a similar flaw on the website for TV and internet provider Spectrum, which was reported in August. It would have allowed attackers to take over accounts with only a customer's IP address.
Spectrum and Cox also aren’t the only cable providers to suffer from similar security issues this year. Also in August, a separate researcher found two vulnerabilities in the website for Comcast Xfinity, which inadvertently exposed customers’ partial addresses and the last four digits of their Social Security number.
By gaining access to your cable or internet account, an attacker wouldn’t necessarily be able to do much harm. But using the sensitive personal information they found there, including your home address, they might be able to impersonate you elsewhere, like to your bank. In the past, hackers have used personally identifying details to carry out attacks like SIM-swapping, where they masquerade as you to your cell phone provider. Then, they can port your information over to a new smartphone they control. Thankfully in this case, it appears no Cox accounts were compromised, and the vulnerability has been fixed.