Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Security The Internet

Simple Flaw Exposed Data On Millions of Charter Internet Customers 29

Daniel_Stuckey writes: A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of millions of its customers. Security researcher Eric Taylor discovered the internet service provider's vulnerability as part of his research, and demonstrated how a simple header modification performed with a browser plug-in could reveal details of Charter subscriber accounts. After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.
This discussion has been archived. No new comments can be posted.

Simple Flaw Exposed Data On Millions of Charter Internet Customers

Comments Filter:
  • by QuasiSteve ( 2042606 ) on Wednesday May 20, 2015 @09:33PM (#49741035)

    I figured i'd keep the subject in tone with TFS's 'upworthiness'.

    But unlike TFS and Upworthy et al, I'll spoil it for you:

    Their servers used the originating IP address to identify a connecting client as being a subscriber. They also followed "X-Forwarded-For" - a header normally used to indicate that the connecting client is effectively just being a proxy. Thus by manually setting this header to a valid subscriber's IP address, the attacker can trick the server into thinking that their client is that of the subscriber.

  • Ridiculous (Score:5, Insightful)

    by Etherwalk ( 681268 ) on Wednesday May 20, 2015 @09:51PM (#49741099)

    This is Security 101 stuff... as in, you read a good book on security and you know simple header changes should never be enough to reveal data of another customer. IIRC David LeBlanc's book mentioned a story where he pointed out the problem for a bank once...

    Fundamentally security for most companies is still a "don't invest unless we get caught not investing" type of expense. Like landlords who don't worry about providing... electricity...

    • by rezme ( 1677208 )
      I'd say it's more akin to a landlord not providing.... locks.
  • 'Using a lightweight add-on for Firefox to modify HTTP headers, called "X-Forwarded-For Header," an attacker essentially could pass off a Charter customer's IP address as their own. The plug-in, as its description explains, "Inserts a X-Forwarded-For field into the HTTP Request header. Some servers look at this field to identify the originating IP address."'

    What platform does Charter Communications run on, who designed the platform, and what were their names?
  • As a Charter customer, I've been relatively satisfied with them for over 15 years. I figure I must have it better than Comcast, Cox and whatever customers, I mean...because they are Comcast and Cox customers and shit.

    • But I actually forgot what this story was about and my data and privacy and stuff, so I'll get back to everyone about this.

  • by Anonymous Coward

    Companies hate him!

  • Charter kinda sucks (Score:5, Interesting)

    by Khyber ( 864651 ) <techkitsune@gmail.com> on Thursday May 21, 2015 @09:15AM (#49743305) Homepage Journal

    As a Charter customer, here's how lax they are.

    1. Order just internet and phone service, lowest-tier speeds. They come and hook you up with a combo phone/modem, stuff works, you're cruising the internet.
    2. Wait two months, call Charter and ask for an upgrade to their maximum-speed plan.
    3. They come out with ANOTHER modem (without the phone built-in,) on the claim you need that modem to attain the higher speeds.
    4. Tech hooks up the modem, gets it set, leaves.
    5. The other modem NEVER gets deprovisioned for internet.
    6. You now have two IP addresses and two maximum-speed connections for the price of one. Yes, that other modem is MORE THAN CAPABLE of handling Charter's maximum speed.
    7. Multiplex those motherfuckers together and absolutely RAPE Charter's network. They don't seem to care all that much.

    So to find out that they are so lax as to allow something like this to happen, not a surprise, at all.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...