If you’re an Xfinity Security System user (like myself) then you are at risk of “anyone” viewing your cameras.

I was doing one of my “network exploration sessions” and figured I’d see how Xfinity’s security is… before I knew it I had access to all three camera video streams from any external network (I had my brothers try from their locations).

So first, I didn’t tamper with any of the equipment nor was I in hands reach of it, this was purely outside any Xfinity / Comcast equipment. Each camera obviously has it’s own IP address within the local network, the routers have firewalls, etc etc etc. Where we see this leak is the URL generated that provides the media stream. These URLs are generated when we view our cameras via the browser, tablet, or in this case my iPhone.

I was able to hijack that URL and access it externally, generating JPEG (stills) and MJPEG (video) streams. The URL is HTTPS / SSL based, however it doesn’t require an authentication session to access it! And because of that, anyone with the URL can access the stream.

I did notice that the URL dies after an expiration time is met since last viewing the stream from whatever portal you used. However, as soon as you bring your cameras back up, those URLs are publicly accessible again.

If you’re in a coffee shop (or public router in general) and access your home security system, you just potentially gave your video stream URLs out.

The key to fixing? Authentication (cookie signed) sessions to access those URLs. Why comcast hasn’t done this? No idea and it’s a major flaw.