A critical authorization-bypass vulnerability in the infrastructure of a major US broadband provider, Cox Communications, recently came to light, exposing millions of business customer devices to potential attacks. This flaw allowed threat actors to gain unauthorized access to permissions on the devices, essentially posing as members of an Internet service provider (ISP) support team.
The vulnerability was identified by independent bug researcher Sam Curry, who detailed the issue in a blog post on June 3. If exploited, attackers could have accessed sensitive information such as personally identifiable information (PII), Wi-Fi passwords, details of connected devices, and even taken over customer accounts.
Curry discovered that the root of the vulnerability lay in over 700 exposed APIs on Cox’s back-end infrastructure, many of which granted administrative functionality. By replaying HTTP requests repeatedly, an attacker could execute unauthorized commands due to permission issues in the APIs. The flaw was traced back to an error in the Spring code used to proxy API requests to Cox’s back-end while serving front-end files differently. Spring is a widely used Java framework for developing Web applications and services.
This series of vulnerabilities provided external attackers with the ability to execute commands, manipulate modem settings, access PII of business customers, and essentially assume the same level of permissions as an ISP support team member.
The discovery of this critical flaw in Cox’s infrastructure came about through Curry’s own experience several years ago. While working on his home network, Curry noticed unusual network traffic that led him to investigate further. Eventually, this led him to uncover the authorization bypass vulnerability on Cox’s back-end API.
To exploit the vulnerability, an attacker could search for a target customer through the exposed APIs using various identifiers like name, phone number, email address, or account number. Once identified, the attacker could retrieve the customer’s complete account details, including PII, device MAC addresses, email, phone number, and business address. Subsequently, the attacker could retrieve Wi-Fi passwords, information on connected devices, and even take control of the victim’s account.
Upon identifying the vulnerability, Curry promptly reported it through Cox’s responsible disclosure program on March 4, and the provider patched the flaw within a day. Cox assured Curry that there was no history of the vulnerability being exploited by malicious actors.
Despite the quick response and mitigation efforts by Cox, the mystery surrounding how Curry’s device was compromised initially, and the involvement of the phishing-related IP address, remains. This incident underscores the importance of maintaining trust between ISPs and customer devices and the ongoing need to identify and address vulnerabilities in critical infrastructure.