Simple Flaw Exposed Data On Millions of Charter Internet Customers 29
Daniel_Stuckey writes: A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of millions of its customers. Security researcher Eric Taylor discovered the internet service provider's vulnerability as part of his research, and demonstrated how a simple header modification performed with a browser plug-in could reveal details of Charter subscriber accounts. After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.
You Won't Believe This One Simple Header Mod (Score:5, Informative)
I figured i'd keep the subject in tone with TFS's 'upworthiness'.
But unlike TFS and Upworthy et al, I'll spoil it for you:
Their servers used the originating IP address to identify a connecting client as being a subscriber. They also followed "X-Forwarded-For" - a header normally used to indicate that the connecting client is effectively just being a proxy. Thus by manually setting this header to a valid subscriber's IP address, the attacker can trick the server into thinking that their client is that of the subscriber.
Ridiculous (Score:5, Insightful)
This is Security 101 stuff... as in, you read a good book on security and you know simple header changes should never be enough to reveal data of another customer. IIRC David LeBlanc's book mentioned a story where he pointed out the problem for a bank once...
Fundamentally security for most companies is still a "don't invest unless we get caught not investing" type of expense. Like landlords who don't worry about providing... electricity...
Re: (Score:3)
But better channel map and more HD then comcast.
Re: (Score:2)
30 megabit Internet connection to the home? Give me that amount of terrible, please!
Re: (Score:2)
Re: (Score:2)
They have 6 million customers and revenue of about 8 billion dollars a year.
You have quite an odd definition of "small".
Re: (Score:1)
Re: (Score:2, Flamebait)
Re: (Score:2)
It appears to be .Net
The customer login page is called login.aspx
Perhaps you meant C#?
Re: (Score:2)
Good programming languages cannot save a bad design.
Simple flaw exposed customers data .. (Score:2)
What platform does Charter Communications run on, who designed the platform, and what were their names?
Not The Worst (Score:2)
As a Charter customer, I've been relatively satisfied with them for over 15 years. I figure I must have it better than Comcast, Cox and whatever customers, I mean...because they are Comcast and Cox customers and shit.
Re: (Score:2)
But I actually forgot what this story was about and my data and privacy and stuff, so I'll get back to everyone about this.
One Weird Trick that can steal millions (Score:1)
Companies hate him!
Charter kinda sucks (Score:5, Interesting)
As a Charter customer, here's how lax they are.
1. Order just internet and phone service, lowest-tier speeds. They come and hook you up with a combo phone/modem, stuff works, you're cruising the internet.
2. Wait two months, call Charter and ask for an upgrade to their maximum-speed plan.
3. They come out with ANOTHER modem (without the phone built-in,) on the claim you need that modem to attain the higher speeds.
4. Tech hooks up the modem, gets it set, leaves.
5. The other modem NEVER gets deprovisioned for internet.
6. You now have two IP addresses and two maximum-speed connections for the price of one. Yes, that other modem is MORE THAN CAPABLE of handling Charter's maximum speed.
7. Multiplex those motherfuckers together and absolutely RAPE Charter's network. They don't seem to care all that much.
So to find out that they are so lax as to allow something like this to happen, not a surprise, at all.
Re: (Score:2)
They can't do that when the modem they give you on the second run is data only with no phone equipment built-in.
Re: (Score:2)
Bah, submitted too soon - they do this so they can ding you on the extra equipment charge.