We recently told you about the XFINITY Mobile app for Android. An app that lets you do a whole bunch of stuff, but most people are likely interested in its DVR control and its (lackluster) video streaming capabilities.

The app lets you talk to your configured DVRs, check voicemail and email, and even has some address book functionality. To do this the app has to know your XFINITY username and password. Unfortunately, the app stores your credentials in your Android’s system log.

Additionally, the [email protected] and YOURPASSWORD fields appear on a line that starts with “D/HTTPManager“, implying this may be sent in clear-text via HTTP, which would make your login available to anyone with a packet sniffer between you and Comcast/XFINITY’s servers. It’s unknown whether or not this is the case. Whether or not it is being sent across the web doesn’t change the fact that the logs are accessible to anyone with physical access to your device, and may be included in data that can be send in a forceclose report.

The Android Market states that an update is coming soon, but doesn’t indicate that this security issue is known or has been addressed in the upcoming release of the app. We hope that this security hole is patched up sooner than later!

Source: XDA-Developers

You May Also Like
Huawei P40 Lite

HUAWEI P40 Lite with 48MP camera, Kirin 810 launched

HUAWEI will launch the P40 series on March 26.
best power banks for the Galaxy s20

Commuting much? Best power banks for the Galaxy S20

Read this before purchasing a power bank for your new Galaxy S20.
Black Shark 3

Black Shark 3 to feature magnetic charging connector

The gaming phone will be launched on March 2.