5,599,977 Members 45,405 Now Online
XDA Developers Android and Mobile Development Forum

[WARNING-Update:Solved] Xfinity Mobile (Comcast) exposes password in system log

Tip us?
 
aBSuRDiST
Old
(Last edited by aBSuRDiST; 20th February 2011 at 03:14 AM.) Reason: Comcast updated their app
#1  
aBSuRDiST's Avatar
Junior Member - OP
Thanks Meter 3
Posts: 13
Join Date: Oct 2010
Exclamation [WARNING-Update:Solved] Xfinity Mobile (Comcast) exposes password in system log

This post is regarding the Xfinity Mobile app: https://market.android.com/details?i...cast.ottclient

My system log shows <userName>MYUSERNAME@comcast.net</userName> and <password>MYPASSWORD</password> on a line that starts with "D/HTTPManager". I read the log using aLogcat (app available in the market). Open aLogcat, press menu and filter for "password". After I clear my log (using aLogcat) that line reappears even when I haven't used the Xfinity app. I don't use my comcast credentials in any other app.

To try and resolve this I cleared data and cache for the Xfinity app, then cleared the system log in aLogcat, and restarted the phone for good measure. I opened the Xfinity app, logged in without checking "remember me" and unfortunately my username and password immediately reappeared in the system log.

I posted this issue here: http://forums.comcast.net/t5/Mobile-...og/td-p/872295. A Comcast employee responded to say they will investigate this issue and fix it within a few weeks. In the mean time, you may want to uninstall the Xfinity Mobile app and change your Comcast password, or at least do not share your system log with anyone (in bug reports for example) if you have Xfinity Mobile installed.

This may not be the only app that exposes sensitive information in the system log, but this is the only password I have found exposed.

I have a Motorola Droid running stock Android 2.2.

UPDATE - As squiddy20 pointed out, Comcast has updated their app to 2.0.2. They include instructions to clear the app data as part of the upgrade, but that may be unrelated to this issue. In any case, I cleared the app data and installed the update, and my credentials no longer show up in the log. As far as I can tell, they have completely resolved this issue. If the problem persists for anyone else, be sure to post that here and on the Comcast forum.
The Following 3 Users Say Thank You to aBSuRDiST For This Useful Post: [ Click to Expand ]
 
packruler
Old
#2  
Member
Thanks Meter 7
Posts: 41
Join Date: Jun 2008
Wow Comcast.

Thanks for the heads up
 
squiddy20
Old
#3  
Junior Member
Thanks Meter 6
Posts: 26
Join Date: Oct 2010
I checked this out for myself and the only way I could get it to show up was by logging out and then back in. I then did a reboot, let it sit for well over 5 minutes after it was fully booted, and then tried it and still no entry under "password". I dont get any of the sporadic, random popups you seem to have gotten. Oddly though, I have it set to not login automatically, yet after the reboot, it took me right to my email messages without me actually typing in my login info. That in itself is room for concern, let alone the possibility that login info is contained in the logcat in plain text.
Samsung Moment 2.1 running TiX 1.6 rom.
 
Ultraman666
Old
#4  
Ultraman666's Avatar
Senior Member
Thanks Meter 617
Posts: 1,092
Join Date: Apr 2010
Location: Kansas
Interesting I to have the same issue squiddy20. Very concerning not a good thing Comcast
Samsung Galaxy Note3 (rooted)
ROM: PureEvil V1 Holy Freakin Crap!!!
Thanks Evil1art and the Deviant Crew
Kernel: Stock
Overclocked not yet


ASUS Transformer Infinity TF700(rooted)
Rooted....CromiX.....Thanks Sbdags!!!
Kernel: Stock
Overclocked to 1.6GHz
Antutu Bench: 5587

Lag what Lag we dont need no stinking Lag!!!
 
craver009
Old
#5  
Junior Member
Thanks Meter 0
Posts: 1
Join Date: Feb 2011
Default I was not able to see my password

I use an EVO with 2.3 and checked the same on my logs after logging in .. and only saw my username the password was nowhere to be found. I guess it would only happen when you first try to login.
 
aBSuRDiST
Old
#6  
aBSuRDiST's Avatar
Junior Member - OP
Thanks Meter 3
Posts: 13
Join Date: Oct 2010
Quote:
Originally Posted by squiddy20 View Post
I checked this out for myself and the only way I could get it to show up was by logging out and then back in. I then did a reboot, let it sit for well over 5 minutes after it was fully booted, and then tried it and still no entry under "password". I dont get any of the sporadic, random popups you seem to have gotten. Oddly though, I have it set to not login automatically, yet after the reboot, it took me right to my email messages without me actually typing in my login info. That in itself is room for concern, let alone the possibility that login info is contained in the logcat in plain text.
Samsung Moment 2.1 running TiX 1.6 rom.
Now that I have unchecked "remember me" my credentials only show up in my log when I log out and back in. Not sporadic any more.

Check your Xfinity Mobile -> Settings -> Log Out setting. If it is set to "Never", then you wouldn't have to log in again after a reboot. If it is set to "On Exit" then you should have to log in again after exiting the app or after a reboot... but that may be buggy.
 
squiddy20
Old
#7  
Junior Member
Thanks Meter 6
Posts: 26
Join Date: Oct 2010
Thanks for the tip, but I honestly don't access my email through the app very much. To me, less things logged into and running in the background, means more memory for other things and slightly more battery life.
Also slightly less security problems! :P
 
squiddy20
Old
(Last edited by squiddy20; 19th February 2011 at 04:19 AM.)
#8  
Junior Member
Thanks Meter 6
Posts: 26
Join Date: Oct 2010
Well, they've updated the app and I assume they've fixed the logcat problem (haven't checked for myself yet). They do have a note: "This Update will require you to log in to the application" plus the usual updates, improvements, and fixes.

Edit: just ran 2 checks with aLogcat and can confirm that the username and password info does not show up when searching for keyword "password". On a slight side note, I've noticed that hitting the home button on my Samsung Moment exits the app, but doesn't sign out. While hitting the back button from the main screen exits the app AND signs out. Settings also seem to be staying the same, even after reboots. Mine would reset occasionally, turning notifications on and other things.
 
dawgman25
Old
#9  
Junior Member
Thanks Meter 0
Posts: 6
Join Date: Dec 2010
I have had some concerns as well. I have lost most of my channels in the TV listings area. It goes from 2-29 and then 75-99 but that is it. I have uninstalled and reinstalled the app several times, cleared data in applications, etc. As I reinstall the app, it is going right into my system without asking for a password which I find a bit alarming.

I assume that the program has reverted to a selection that is not the full digital programming which shows up when you first do an initial install. I cannot find a way to get back to that area to reset my configuration and add all my channels back. I have emailed Comcast and those idiots responded that they do not have an app that works with Android yet, only iPads and iPhones. Quite comical.

Any help would be greatly appreciated.
 
ilhe1s
Old
(Last edited by ilhe1s; 23rd February 2011 at 06:29 PM.)
#10  
ilhe1s's Avatar
Member
Thanks Meter 9
Posts: 89
Join Date: Jun 2010
Location: Denver

 
DONATE TO ME
I have tried all of the methods mentioned above and when I log in using username and password, and filter alogcat only my username appears in the log. Also tried brief and long settings in alogcat preferences.

Edit: This is using the 2.0.2 version.



~>2BMEISIMPOSSIBLE<~
~>2BURSELFISINEVITABLE<~

--->ILHE1S<---

Tags
comcast, password, security, xfinity
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

Control TWRP from within Android with TWRP Coordinator

You may recall that back when TWRP2 introduced a couple of years ago, it brought with … more

Keep Track of Everything Your Device Does with Event Logger

Regardless of their OS choice, computing power users generally share one common … more

A More Competitive Spin on the Addictive 2048 Puzzle

You may recall that a few weeks ago, we talked about a rather interesting take on … more

Multiboot in Progress for the Sony Xperia Z1

As we’ve mentioned quite a few times in the past, multiboot is quite the interesting … more