With the spoofed IP address and correct phone number, hackers could register for a new TWC ID on an existing Time Warner Cable subscription, and obtain complete access to the customer’s account. That means it would be relatively easy for a hacker to take over someone’s account even without an accurate phone number. Additionally, Ceraolo found that hackers could use a brute-force software program in the phone number field (in other words, repeatedly try different 10-digit combinations), because the Spectrum website did not limit the number of attempts. Only the phone number associated with the account needed to be accurate. But according to the security researcher Phobia, the zip code didn’t need to be correct to proceed to the next page. The registration website tried to verify subscribers’ identities by asking for their zip codes and phone numbers. If the targeted customer had not registered for a TWC ID, a hacker could trick the website and gain full access to the target’s account by replacing their own IP address with the customer’s using the “X-forwarded-for” technique, which can be executed even by technically unsophisticated hackers with a simple browser extension. Spectrum does not require its customers to register for a TWC ID, but according to the Charter spokesperson, the “majority” of its legacy customers have already registered.Ī registration page where subscribers can create a TWC ID contained the crucial security flaw. The spokesperson did not reveal exactly how many people are in that group, and only stated that the number is “significantly less” than the company’s subscriber base. In 2016, Charter purchased Time Warner Cable and Bright House Networks, and merged the two internet companies under the Spectrum brand.Ĭlaude noted that only a subset of Time Warner Cable’s 14 million pre-merger “legacy” customers - those without a “TWC ID” (an account through which they can pay for bills and watch TV online) - were affected by the security flaw. This can be used to impersonate another computer or router on a Wi-Fi network, and perform a man-in-the-middle type of attack to capture all of that network’s web traffic and acquire any data submitted to non-HTTPS sites, including login credentials.Ĭharter Communications, the second largest cable provider in the US, provides residential Internet access to 23 million customers. The myTWC app, which an account provides access to, also shows the MAC address (a number that identifies each device on a network) of any equipment connected to the service. That information could be used to social engineer - in other words, deceive - customer support personnel, who could be fooled into giving up more of a target’s data, or even to trick the customer with phishing emails that look like they are legitimate because they include accurate, detailed personal info related to their internet account. With access to a customer’s internet and cable TV provider account, a hacker can see sensitive personal data like their billing address, email, and account number. We continue to investigate, but at this time have no reason to believe this vulnerability was ever used beyond the security researchers who reported it to BuzzFeed.” Only a Spectrum customer’s IP address (a number unique to every Internet-connected device) was required to exploit the flaw, which security researchers Phobia and Nicholas “Convict” Ceraolo discovered.Īfter BuzzFeed News shared the previously unreported findings with parent company Charter Communications, spokesperson Francois Claude said, “We investigated and quickly implemented a fix to the vulnerability that was brought to our attention. A vulnerability on internet and cable TV provider Spectrum's website made it possible for just about anyone to take over customers’ accounts without a password.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |