xfinitywifi hotspot significant security risk - plans to fix?

Hello jcthorne and welcome,

Your point about the xfinitywifi SSID does not allow any auto-login using either business comcast class user, comcast user (residential) , or non-comcast user. To the best of my current usage of all of these xfinitywifi logins, it is always necessary to manually enter the email address and password in order to login. If any  email user shares their password with anyone, then shame on that user for violating themself.

If you have some specific additional "spoof" security technical detail, please share it with us.  

Thanks for your concern.  

The problem is that once the user logs in once, the device remembers the settings and auto logs in the next time it encounters the same SSID.  Standard feature of many smart phones now.  Works exactly this way on my HTC One and my tablet if I allow it.  

If the smartphone logs in to a 'spoofed' wifi service using the SSID xfinitywifi, the owner of that hotspot now has the login credentials for the comcast account.

The login email and password is the same as used for login to the comcast account system.

---

@jcthorne wrote:

The login email and password is the same as used for login to the comcast account system.

---

in my opinion, this is the greater security risk; i could set up a fake access point and just name it "xfinitywifi"; using some not-very-advanced methods, i could create a web page that looks like the comcast xfinitywifi login page, and from there extract any passerby's actual, real Comcast credentials. from there, i could login to their account, and potentially wreck some havoc.

at the very least, the login credentials for getting onto an "xfinitywifi" hotspot should be different than the actual account management login credentials.

IMHO