Updated: Apr 8, 2019
Comcast has just been caught in a major security flaw: revealing the passwords of its customers Xfinity-provided wireless router in plaintext on the web. Anyone with a subscriber’s account number and street address number will be served up the Wi-Fi name and password via the company’s Xfinity internet activation service.
The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password.
Only a customer account ID and that customer's house or apartment number is needed -- even though the web form asks for a full address. That information could be grabbed from a discarded bill or obtained from an email. In any case, a determined attacker could simply guess the house or apartment number.
This only affects people who use a router provided by Xfinity/Comcast, which comes with its own name and password built in. Though it also returns custom SSIDs and passwords, since they’re synced with your account and can be changed via app and other methods.
At this time, the only fix for these faulty modems is to purchase your own modem and wireless internet and stop leasing one from Comcast.