Cox Communications has fastened an authorization bypass vulnerability that enabled distant attackers to abuse uncovered backend APIs to reset hundreds of thousands of modems’ settings and steal prospects’ delicate private data.
Cox is the biggest non-public broadband firm within the U.S., offering web, tv, and telephone companies over fiber-powered networks to virtually seven million properties and companies throughout greater than 30 states.
Bug bounty hunter Sam Curry found the safety flaw and located that profitable exploitation gave risk actors an analogous set of permissions as ISP tech assist.
The attackers may’ve used this entry to take advantage of any of the hundreds of thousands of Cox gadgets accessible by the susceptible Cox APIs, overwriting configuration settings and executing instructions on the system.
For instance, by exploiting this authentication bypass vulnerability, malicious actors can search for a Cox buyer utilizing their title, telephone quantity, e mail handle, or account quantity through the uncovered APIs.
They will then steal their personally identifiable data (PII), together with MAC addresses, e mail, telephone numbers, and addresses.
The attackers can even accumulate related gadgets’ Wi-Fi passwords and different data by querying the {hardware} MAC handle stolen within the earlier assault stage. Subsequently, they’ll execute unauthorized instructions, modify system settings, and achieve management over the sufferer’s accounts.
“This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could’ve executed commands and modified the settings of millions of modems, accessed any business customer’s PII, and gained essentially the same permissions of an ISP support team,” Curry stated.
“There were over 700 exposed APIs with many giving administrative functionality (e.g. querying the connected devices of a modem). Each API suffered from the same permission issues where replaying HTTP requests repeatedly would allow an attacker to run unauthorized commands.”
The corporate took down the uncovered API calls inside six hours of Curry’s report on March 3 and patched the vulnerability the following day.
As a part of a follow-up safety overview, Cox additionally investigated whether or not this assault vector had ever been exploited earlier than being reported however stated it discovered no proof of earlier abuse makes an attempt.