T-Mobile Site & Server Security
GrahamPhisher
8/2/2011

We all know any system unless its unplugged and turned off is never 100% secure, of course this makes security a 
high priority today to protect any sensitive data. Which means keeping up to date with the latest updates or 
patching any vulnerabilities for whatever software your system is running. Of course not updating doesn't make 
you bad or lazy person, but what if your a company whose serving over 30 million customers and you don't update 
your system's security? I am speaking about T-Mobile, the fourth-largest wireless carrier in the U.S.

Looking back on 2006-2008 when T-Mobile had some pretty big security related scares, which resulted in some of 
their customer's information being leaked, for example Paris Hilton, were the website was exploited to access 
her personal information including pics, texts, and more. This of course calling for immediate attention to fix 
the vulnerabilities in the site.

Now me just being curious, not malicious, was wondering if T-Mobile was keeping their system up to date to prevent 
anymore of these attacks. So I ran a couple tests on their site, nothing that would cause harm though. One, a XSS 
(Cross Site Scripting) injection through their store locator which led me to a older copy of their website (weird, 
why would their old website still be up?) where the copyright on the footer said 2009, than later after roaming 
around the site stumbled upon T-Mobile Puerto Rico (t-mobilepr.com) were the copyright also says 2009.

Than after finding this out, I manipulated another address on the T-Mobile website which led me to some shocking 
info that their server software is from 2008-07-31, (Apache Tomcat/6.0.18), which has a countless number of vulnerabilities 
reported on which were later fixed in Tomcat 6.0.19 and released in Tomcat 6.0.20. Running this server software could 
allow a cracker (hacker) to penetrate their system allowing them to access T-Mobile's customer database and more, 
which could lead to a massive personal information leak.

This leading me to find out T-Mobile hasn't been "Fully" keeping up to date with the latest security on the server that 
hosts their site, or patching a good amount of numerous reported vulnerabilities from multiple security communities 
relating to their website since 2008 or 2009, and of course that I have way too much free time on my hands.