A Charter security flaw recently exposed the data of millions of customers. On the Charter Communications (Spectrum) website, a vulnerability was found that let almost anyone take over customer accounts without needing a password (via TechDirt).
Charter Security Flaw
The flaw involves tricking a Spectrum website that lets subscribers create an ID for Time Warner Cable (which Charter recently acquired). If a customer hasn’t registered for an ID yet, the vulnerability let an attacker trick the website into creating one by replacing their IPD address with the customer’s IP address.
The registration website tried to verify subscribers’ identities by asking for their zip codes and phone numbers. But according to the security researcher Phobia, the zip code didn’t need to be correct to proceed to the next page. Only the phone number associated with the account needed to be accurate.
Additionally, Ceraolo found that hackers could use a brute-force software program in the phone number field (in other words, repeatedly try different 10-digit combinations), because the Spectrum website did not limit the number of attempts. That means it would be relatively easy for a hacker to take over someone’s account even without an accurate phone number.
After the fake ID was created the attacker has access to private data like billing addresses, emails, and account numbers. Charter has 23 million subscribers but not all of them are affected. People who were a subscriber of Time Warner Cable before the merger are affected, which is 14 million users.
Charter won’t say how many people have been affected, although the company claims that the flaws weren’t actually exploited.