Cox Communications has fixed an authorization bypass vulnerability that enabled remote attackers to abuse exposed backend APIs to reset millions of Cox-supplied modems’ settings and steal customers’ sensitive personal information.
Cox is the largest private broadband company in the U.S., providing internet, television, and phone services over fiber-powered networks to almost seven million homes and businesses across more than 30 states.
Bug bounty hunter Sam Curry discovered the security flaw and found that successful exploitation gave threat actors a similar set of permissions as ISP tech support.
The attackers could’ve used this access to exploit any of the millions of Cox devices accessible through the vulnerable Cox APIs, overwriting configuration settings and executing commands on the device.
For example, by exploiting this authentication bypass vulnerability, malicious actors can look for a Cox customer using their name, phone number, email address, or account number via the exposed APIs.
They can then steal their personally identifiable information (PII), including MAC addresses, email, phone numbers, and addresses.
The attackers can also collect connected devices’ Wi-Fi passwords and other information by querying the hardware MAC address stolen in the previous attack stage. Subsequently, they can execute unauthorized commands, modify device settings, and gain control over the victim’s accounts.
“This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could’ve executed commands and modified the settings of millions of modems, accessed any business customer’s PII, and gained essentially the same permissions of an ISP support team,” Curry said.
“There were over 700 exposed APIs with many giving administrative functionality (e.g. querying the connected devices of a modem). Each API suffered from the same permission issues where replaying HTTP requests repeatedly would allow an attacker to run unauthorized commands.”
The company took down the exposed API calls within six hours of Curry’s report on March 3 and patched the vulnerability the next day.
As part of a follow-up security review, Cox also investigated whether this attack vector had ever been exploited before being reported but said it found no evidence of previous abuse attempts.