[WARNING-Update:Solved] Xfinity Mobile (Comcast) exposes password in system log

Search This thread

aBSuRDiST

Member
Oct 27, 2010
13
3
This post is regarding the Xfinity Mobile app: https://market.android.com/details?id=net.comcast.ottclient

My system log shows <userName>MYUSERNAME@comcast.net</userName> and <password>MYPASSWORD</password> on a line that starts with "D/HTTPManager". I read the log using aLogcat (app available in the market). Open aLogcat, press menu and filter for "password". After I clear my log (using aLogcat) that line reappears even when I haven't used the Xfinity app. I don't use my comcast credentials in any other app.

To try and resolve this I cleared data and cache for the Xfinity app, then cleared the system log in aLogcat, and restarted the phone for good measure. I opened the Xfinity app, logged in without checking "remember me" and unfortunately my username and password immediately reappeared in the system log.

I posted this issue here: http://forums.comcast.net/t5/Mobile-Apps-and-Web/Password-revealed-in-android-system-log/td-p/872295. A Comcast employee responded to say they will investigate this issue and fix it within a few weeks. In the mean time, you may want to uninstall the Xfinity Mobile app and change your Comcast password, or at least do not share your system log with anyone (in bug reports for example) if you have Xfinity Mobile installed.

This may not be the only app that exposes sensitive information in the system log, but this is the only password I have found exposed.

I have a Motorola Droid running stock Android 2.2.

UPDATE - As squiddy20 pointed out, Comcast has updated their app to 2.0.2. They include instructions to clear the app data as part of the upgrade, but that may be unrelated to this issue. In any case, I cleared the app data and installed the update, and my credentials no longer show up in the log. As far as I can tell, they have completely resolved this issue. :) If the problem persists for anyone else, be sure to post that here and on the Comcast forum.
 
Last edited:

squiddy20

Member
Oct 30, 2010
31
6
I checked this out for myself and the only way I could get it to show up was by logging out and then back in. I then did a reboot, let it sit for well over 5 minutes after it was fully booted, and then tried it and still no entry under "password". I dont get any of the sporadic, random popups you seem to have gotten. Oddly though, I have it set to not login automatically, yet after the reboot, it took me right to my email messages without me actually typing in my login info. That in itself is room for concern, let alone the possibility that login info is contained in the logcat in plain text.
Samsung Moment 2.1 running TiX 1.6 rom.
 

craver009

New member
Feb 15, 2011
1
0
I was not able to see my password

I use an EVO with 2.3 and checked the same on my logs after logging in .. and only saw my username the password was nowhere to be found. I guess it would only happen when you first try to login.
 

aBSuRDiST

Member
Oct 27, 2010
13
3
I checked this out for myself and the only way I could get it to show up was by logging out and then back in. I then did a reboot, let it sit for well over 5 minutes after it was fully booted, and then tried it and still no entry under "password". I dont get any of the sporadic, random popups you seem to have gotten. Oddly though, I have it set to not login automatically, yet after the reboot, it took me right to my email messages without me actually typing in my login info. That in itself is room for concern, let alone the possibility that login info is contained in the logcat in plain text.
Samsung Moment 2.1 running TiX 1.6 rom.

Now that I have unchecked "remember me" my credentials only show up in my log when I log out and back in. Not sporadic any more.

Check your Xfinity Mobile -> Settings -> Log Out setting. If it is set to "Never", then you wouldn't have to log in again after a reboot. If it is set to "On Exit" then you should have to log in again after exiting the app or after a reboot... but that may be buggy.
 

squiddy20

Member
Oct 30, 2010
31
6
Thanks for the tip, but I honestly don't access my email through the app very much. To me, less things logged into and running in the background, means more memory for other things and slightly more battery life. :)
Also slightly less security problems! :p
 

squiddy20

Member
Oct 30, 2010
31
6
Well, they've updated the app and I assume they've fixed the logcat problem (haven't checked for myself yet). They do have a note: "This Update will require you to log in to the application" plus the usual updates, improvements, and fixes.

Edit: just ran 2 checks with aLogcat and can confirm that the username and password info does not show up when searching for keyword "password". On a slight side note, I've noticed that hitting the home button on my Samsung Moment exits the app, but doesn't sign out. While hitting the back button from the main screen exits the app AND signs out. Settings also seem to be staying the same, even after reboots. Mine would reset occasionally, turning notifications on and other things.
 
Last edited:

dawgman25

Member
Dec 16, 2010
6
0
I have had some concerns as well. I have lost most of my channels in the TV listings area. It goes from 2-29 and then 75-99 but that is it. I have uninstalled and reinstalled the app several times, cleared data in applications, etc. As I reinstall the app, it is going right into my system without asking for a password which I find a bit alarming.

I assume that the program has reverted to a selection that is not the full digital programming which shows up when you first do an initial install. I cannot find a way to get back to that area to reset my configuration and add all my channels back. I have emailed Comcast and those idiots responded that they do not have an app that works with Android yet, only iPads and iPhones. Quite comical.

Any help would be greatly appreciated.
 

ilhe1s

Senior Member
Jun 24, 2010
102
13
Denver
I have tried all of the methods mentioned above and when I log in using username and password, and filter alogcat only my username appears in the log. Also tried brief and long settings in alogcat preferences.

Edit: This is using the 2.0.2 version.
 
Last edited:

gssnathan

New member
Jul 21, 2010
2
0
Hi Squiddy ,

Pressing the backbutton will exit the app and pressing the home screen actually puts the app in the background so that at later point of time we can launch the app from the page where we left .
I dont think this is an Issue.
 

gssnathan

New member
Jul 21, 2010
2
0
Hi Dawgman25,

There is a settings for the program area where you can change the zipcode of yours and select the proper digital option.

After logging in tap on the settings on the lower right corner.
There will be an option program area under TV Listings.
There you can enter your zipcode and give the correct Headend (Digital) option

I think the forums.comcast.net will respond quicker and properly .
you can also directly send mail to comcastandroiddev@gmail.com to get lightning response !!

I tried this and he responded immediately
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    This post is regarding the Xfinity Mobile app: https://market.android.com/details?id=net.comcast.ottclient

    My system log shows <userName>MYUSERNAME@comcast.net</userName> and <password>MYPASSWORD</password> on a line that starts with "D/HTTPManager". I read the log using aLogcat (app available in the market). Open aLogcat, press menu and filter for "password". After I clear my log (using aLogcat) that line reappears even when I haven't used the Xfinity app. I don't use my comcast credentials in any other app.

    To try and resolve this I cleared data and cache for the Xfinity app, then cleared the system log in aLogcat, and restarted the phone for good measure. I opened the Xfinity app, logged in without checking "remember me" and unfortunately my username and password immediately reappeared in the system log.

    I posted this issue here: http://forums.comcast.net/t5/Mobile-Apps-and-Web/Password-revealed-in-android-system-log/td-p/872295. A Comcast employee responded to say they will investigate this issue and fix it within a few weeks. In the mean time, you may want to uninstall the Xfinity Mobile app and change your Comcast password, or at least do not share your system log with anyone (in bug reports for example) if you have Xfinity Mobile installed.

    This may not be the only app that exposes sensitive information in the system log, but this is the only password I have found exposed.

    I have a Motorola Droid running stock Android 2.2.

    UPDATE - As squiddy20 pointed out, Comcast has updated their app to 2.0.2. They include instructions to clear the app data as part of the upgrade, but that may be unrelated to this issue. In any case, I cleared the app data and installed the update, and my credentials no longer show up in the log. As far as I can tell, they have completely resolved this issue. :) If the problem persists for anyone else, be sure to post that here and on the Comcast forum.