Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Security Flaws Allowed Full Access To Spectrum Customers’ Accounts Without A Pa ...

$
0
0

A vulnerability on internet and cable TV provider Spectrum's website made it possible for just about anyone to take over customers’ accounts without a password. Only a Spectrum customer’s IP address (a number unique to every Internet-connected device) was required to exploit the flaw, which security researchers Phobia and Nicholas “Convict” Ceraolo discovered.

After BuzzFeed News shared the previously unreported findings with parent company Charter Communications, spokesperson Francois Claude said, “We investigated and quickly implemented a fix to the vulnerability that was brought to our attention. We continue to investigate, but at this time have no reason to believe this vulnerability was ever used beyond the security researchers who reported it to BuzzFeed.”

With access to a customer’s internet and cable TV provider account, a hacker can see sensitive personal data like their billing address, email, and account number. That information could be used to social engineer ― in other words, deceive ― customer support personnel, who could be fooled into giving up more of a target’s data , or even to trick the customer withphishing emails that look like they are legitimate because they include accurate, detailed personal info related to their internet account.

The myTWC app , which an account provides access to, also shows the MAC address (a number that identifies each device on a network) of any equipment connected to the service. This can be used to impersonate another computer or router on a Wi-Fi network, and perform a man-in-the-middle type of attack to capture all of that network’s web traffic and acquire any data submitted tonon-HTTPS sites, including login credentials.


Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles