Cox Communications has fastened an authorization bypass vulnerability that enabled distant attackers to abuse uncovered backend APIs to reset hundreds of thousands of modems’ settings and steal prospects’ delicate private data.
Cox is the most important non-public broadband firm within the U.S., offering web, tv, and cellphone companies over fiber-powered networks to virtually seven million properties and companies throughout greater than 30 states.
Bug bounty hunter Sam Curry found the security flaw and located that profitable exploitation gave risk actors the same set of permissions as ISP tech assist.
The attackers might’ve used this entry to take advantage of any of the hundreds of thousands of Cox gadgets accessible by way of the weak Cox APIs, overwriting configuration settings and executing instructions on the machine.
For instance, by exploiting this authentication bypass vulnerability, malicious actors can search for a Cox buyer utilizing their title, cellphone quantity, electronic mail handle, or account quantity through the uncovered APIs.
They’ll then steal their personally identifiable data (PII), together with MAC addresses, electronic mail, cellphone numbers, and addresses.
The attackers also can gather related gadgets’ Wi-Fi passwords and different data by querying the {hardware} MAC handle stolen within the earlier assault stage. Subsequently, they’ll execute unauthorized instructions, modify machine settings, and achieve management over the sufferer’s accounts.
“This collection of vulnerabilities demonstrated a approach through which a completely exterior attacker with no stipulations might’ve executed instructions and modified the settings of hundreds of thousands of modems, accessed any enterprise buyer’s PII, and gained basically the identical permissions of an ISP assist crew,” Curry stated.
“There have been over 700 uncovered APIs with many giving administrative performance (e.g. querying the related gadgets of a modem). Every API suffered from the identical permission points the place replaying HTTP requests repeatedly would enable an attacker to run unauthorized instructions.”
The corporate took down the uncovered API calls inside six hours of Curry’s report on March 3 and patched the vulnerability the subsequent day.
As a part of a follow-up security evaluation, Cox additionally investigated whether or not this assault vector had ever been exploited earlier than being reported however stated it discovered no proof of earlier abuse makes an attempt.
