what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

T-Mobile Site And Server Security

T-Mobile Site And Server Security
Posted Aug 2, 2011
Authored by GrahamPhisher

Small write-up discussing various issues with T-Mobile's site and security.

tags | paper
SHA-256 | c85f78d5b785a5673ec6319cd4e213024eb515189ce4bd1e9c0abf0e8a0c23cc

T-Mobile Site And Server Security

Change Mirror Download
T-Mobile Site & Server Security
GrahamPhisher
8/2/2011

We all know any system unless its unplugged and turned off is never 100% secure, of course this makes security a
high priority today to protect any sensitive data. Which means keeping up to date with the latest updates or
patching any vulnerabilities for whatever software your system is running. Of course not updating doesn't make
you bad or lazy person, but what if your a company whose serving over 30 million customers and you don't update
your system's security? I am speaking about T-Mobile, the fourth-largest wireless carrier in the U.S.

Looking back on 2006-2008 when T-Mobile had some pretty big security related scares, which resulted in some of
their customer's information being leaked, for example Paris Hilton, were the website was exploited to access
her personal information including pics, texts, and more. This of course calling for immediate attention to fix
the vulnerabilities in the site.

Now me just being curious, not malicious, was wondering if T-Mobile was keeping their system up to date to prevent
anymore of these attacks. So I ran a couple tests on their site, nothing that would cause harm though. One, a XSS
(Cross Site Scripting) injection through their store locator which led me to a older copy of their website (weird,
why would their old website still be up?) where the copyright on the footer said 2009, than later after roaming
around the site stumbled upon T-Mobile Puerto Rico (t-mobilepr.com) were the copyright also says 2009.

Than after finding this out, I manipulated another address on the T-Mobile website which led me to some shocking
info that their server software is from 2008-07-31, (Apache Tomcat/6.0.18), which has a countless number of vulnerabilities
reported on which were later fixed in Tomcat 6.0.19 and released in Tomcat 6.0.20. Running this server software could
allow a cracker (hacker) to penetrate their system allowing them to access T-Mobile's customer database and more,
which could lead to a massive personal information leak.

This leading me to find out T-Mobile hasn't been "Fully" keeping up to date with the latest security on the server that
hosts their site, or patching a good amount of numerous reported vulnerabilities from multiple security communities
relating to their website since 2008 or 2009, and of course that I have way too much free time on my hands.
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close