Just earlier this month, a group of researchers uncovered a rather simple insecurity on the website for Cox Communications, a US cable and internet provider with around six million customers. The problem they uncovered would have given attackers an all-out access to user accounts and gain access to sensitive user information like billing and credit data.
Cox Communications patched the previously unreported vulnerability after WIRED reached out, and there’s no evidence any customer information was compromised.
The insecurity related to how Cox Communications previously allowed customers to reset their online account passwords. In addition to answering a security question or responding to an email, people could elect to receive a phone call, with an automated voice reading them a special code.
But a hacker could change the phone number associated with the account from the webpage, using only a customer’s User ID or their cox.net email address, allowing them to intercept the code themselves. Then, they could reset the account and gain access to billing and other customer information.
“Cox takes the security of its customers’ accounts very seriously, and we promptly address any identified vulnerabilities. Once Cox was made aware of this issue, we acted quickly to resolve it,” a spokesperson for the company said in a statement. “While our investigation continues, we do not believe this vulnerability was used outside of the test conducted by the security researcher. If individual customers were impacted, Cox will notify them.”
“Usually account takeovers have much more convoluted and complex steps, but this is the first one I discovered that was scarily simple,” says Nicholas “Convict” Ceraolo, one of the security researchers, who along with his partner Ryan “Phobia” Stevenson, discovered the vulnerability. The same pair found a similar flaw on the website for TV and internet provider Spectrum, which was reported in August. It would have allowed attackers to take over accounts with only a customer’s IP address.”
Spectrum and Cox also aren’t the only cable providers to suffer from similar security issues this year. Also in August and September, a separate researcher found two vulnerabilities in the website for Comcast Xfinity, which inadvertently exposed customers’ partial addresses and the last four digits of their Social Security number.
In the past, hackers have used personally identifying details to carry out attacks like SIM-swapping, where they masquerade as you to your cell phone provider. Then, they can port your information over to a new smartphone they control. Thankfully in this case, it appears no Cox accounts were compromised, and the vulnerability has been fixed.