Small write-up discussing various issues with T-Mobile's site and security.
c85f78d5b785a5673ec6319cd4e213024eb515189ce4bd1e9c0abf0e8a0c23cc
T-Mobile Site & Server Security
GrahamPhisher
8/2/2011
We all know any system unless its unplugged and turned off is never 100% secure, of course this makes security a
high priority today to protect any sensitive data. Which means keeping up to date with the latest updates or
patching any vulnerabilities for whatever software your system is running. Of course not updating doesn't make
you bad or lazy person, but what if your a company whose serving over 30 million customers and you don't update
your system's security? I am speaking about T-Mobile, the fourth-largest wireless carrier in the U.S.
Looking back on 2006-2008 when T-Mobile had some pretty big security related scares, which resulted in some of
their customer's information being leaked, for example Paris Hilton, were the website was exploited to access
her personal information including pics, texts, and more. This of course calling for immediate attention to fix
the vulnerabilities in the site.
Now me just being curious, not malicious, was wondering if T-Mobile was keeping their system up to date to prevent
anymore of these attacks. So I ran a couple tests on their site, nothing that would cause harm though. One, a XSS
(Cross Site Scripting) injection through their store locator which led me to a older copy of their website (weird,
why would their old website still be up?) where the copyright on the footer said 2009, than later after roaming
around the site stumbled upon T-Mobile Puerto Rico (t-mobilepr.com) were the copyright also says 2009.
Than after finding this out, I manipulated another address on the T-Mobile website which led me to some shocking
info that their server software is from 2008-07-31, (Apache Tomcat/6.0.18), which has a countless number of vulnerabilities
reported on which were later fixed in Tomcat 6.0.19 and released in Tomcat 6.0.20. Running this server software could
allow a cracker (hacker) to penetrate their system allowing them to access T-Mobile's customer database and more,
which could lead to a massive personal information leak.
This leading me to find out T-Mobile hasn't been "Fully" keeping up to date with the latest security on the server that
hosts their site, or patching a good amount of numerous reported vulnerabilities from multiple security communities
relating to their website since 2008 or 2009, and of course that I have way too much free time on my hands.