We recently told you about the XFINITY Mobile app for Android. An app that lets you do a whole bunch of stuff, but most people are likely interested in its DVR control and its (lackluster) video streaming capabilities.

The app lets you talk to your configured DVRs, check voicemail and email, and even has some address book functionality. To do this the app has to know your XFINITY username and password. Unfortunately, the app stores your credentials in your Android’s system log.

Additionally, the [email protected] and YOURPASSWORD fields appear on a line that starts with “D/HTTPManager“, implying this may be sent in clear-text via HTTP, which would make your login available to anyone with a packet sniffer between you and Comcast/XFINITY’s servers. It’s unknown whether or not this is the case. Whether or not it is being sent across the web doesn’t change the fact that the logs are accessible to anyone with physical access to your device, and may be included in data that can be send in a forceclose report.

The Android Market states that an update is coming soon, but doesn’t indicate that this security issue is known or has been addressed in the upcoming release of the app. We hope that this security hole is patched up sooner than later!

Source: XDA-Developers

You May Also Like
Realme Buds Q
Realme X50 5G and Realme Buds Q make their way to Europe
The Realme X50 5G is already available for purchase on Realme.com for €349.
We may soon see a Samsung Galaxy phone with a 7,000mAh battery
Samsung has received a new Chinese certification for a Galaxy smartphone with a huge 7,000mAh battery
Pocketnow Daily: Google Pixel 4a Update: Finally Ready? (video)
On today’s Pocketnow Daily, we talk about the new certifications received by the Google Pixel 4a, Apple’s mini-LED devices and more