Slashdot Mirror
More Holes Found in T-Mobile Website
mogwhat writes "Even though T-Mobile's website was decisively hacked into over a year ago by now (in)famous cracker Nick Jacobsen, a blog posting by computer security expert Jack Koziol details many serious security holes in various T-Mobile websites. You would think that T-Mobile would have paid attention the first time? Time to get a new cell phone provider!"
Can you pw*404*
Aaw crap. I guess he could.
fp
fp fd sdf sdf sdfl sdf
sdfsd
I just find myself not caring. Great, another company has an insecure website. Can someone explain why this is a big deal?
...that my surrogate father, CowboyNeal, will teach me the ways of these 1337 hax0rz ski11x.
I don't know, it seems that now that all this is exposed, it may be time to think about going to T-Mobile. The odds are they learned this time.
Now the question is how the hell we get our company to switch after moving alllll of our crackberries to T-Mobile, and we are constantly having issues.
And with all of this privacy concern, what kind of liability does that put T-Mobile at when sensitive market data can be compromised? *SCARY*
Sorry man... the Internet pooped on me.
I wish I could switch to a provider that protects their "secured" website better than T-Mobile but they're the only company that provides the Sidekick II in the United States. And I can't really use other phones because of my hearing disability.
I hate the feeling of being trapped to one provider because they have something the others don't, even though they treat their customers like complete and utter shit. T-Mobile customer service leaves quite a lot to be desired.
"Black holes are where God divided by zero." - Steve Wright
Why is it that every time a Slashdot news story gets posted, a riducilousy inane comment or question has to be appended to the actual news item?
Could this be the lamest thing ever?
Time to get a new cell phone provider!
Because of their website?
I'm willing to bet that the guy in charge of coding the backend for their site is not the same guy setting up the telephone network.
________________________________________________
suwain_2
Being a customer at a grossly insecure telecom company can expose you to all kinds of risk.
I can only recommend that people let their money speak and move away from them.
TMobile Customers should let TMobile know that we care about security issues on their website, and that we consider this to be very important for our continued relationship with them!
This "early post" is brought to you by the ECFA (Euthanasia for Canis Familiaris Association)/GNAA (Great Negro Association of America). This combined organization, resulting from the 2004 merger of the ECFA and the GNAA, is committed both to celebrating black history and to the improvement of our society through eliminating overpopulation of animals to improve their lives and the lives of humans. The ECFA/GNAA is committed to improving our society, leaving it better than we found it. We use the Slashdot trolling capabilities of the GNAA to spread our message of improvement.
Do you want to Commemorate great negros
Are you sick of overpopulation of household pets.
Are you willing to take radical measures to keep these pests at bay?
If you answered YES to any of the above questions, the ECFA(Euthanasia for Canis Familiaris Association)/GNAA is for you!
You can work toward the noble of goal of INCREASING OUR SUPPLY OF O2! OVERPOPULATION of DOGS is RAPANT in this country. Did you know that DOGS turn BENEFICIAL O2 into CO2 simply to gain their energy to bark, drool, and howl? They ACTUALLY BURN OUR OXYGEN SUPPLY!!! One dog easily waste the Oxygen output of ten mature trees! This country has MANY UNWANTED, ABANDONED DOGS that WE ARE PAYING MONEY TO KEEP ALIVE. We are FEEDING them our food supply while making the homeless STARVE! Are you TIRED of having your TAXES increased? Humane Societies cost our country over $100 million annually. By using a Dog Killing Gadget, a dog can be turned into beneficial food, helping us all. We let children go hungry yet feed our **UNWANTED** dogs like royalty.
We hunt deer when they become overpopulated. Why should dogs be any different? We don't have deer pounds to send 'homeless' deer to. Yet to most people, dogs are personified to the extreme. We advocate treating dogs like the animals they are.
In addition, we would like to commemorate Malcolm X, a great example of the great negro. The ECFA/GNAA is committed to preserving our GNAA heritage by recognizing Great Negros.
WANT TO SUPPORT THE ECFA? Simply participate in our propaganda campaign to exterminate dogs. You can become a member of our slashdot trolling team, our usenet trolling team, or you can be a member of our local campaigning - by simply handing out brocures or posting signs outside humaine socities. If you have MOD POINTS, alternatively you can moderate this post UP to support our cause.
Important Note: The ECFA has recently "connected" with the GNAA to form one ECFA. Stay connected. Please note that since we are moving to a larger demographic (the untold scores of people who deal with dog messes, noises, and annoyances daily), most of the current GNAA content is offline. In fact, we're pulling all of it except the "early post", which is now a ECFA-style "early post". The traditional GNAA "early post" will continue to be posted on all SCO stories, as insisted by upper GNAA management and its core team of fans. The illicit images and language will not be a part of the new combined organiztion. We do not condone any sexual lifestyle or race.
==Brought to you by the GNAA Trolling Group, now a division of ECFA.
little known, but the Secret Service have jurisdiction over counterfeiting crimes
It's not a little known fact amongst people who follow the hacking/cracking/phreaking/carding scene, even loosely. Read the excellent book the hacker crackdown by Bruce Sterling for an informative account of what the SS does (and also does spectacularly wrong).
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I liked them when they were One2One. the service was (in my experience) decent and the adverts were interesting (as far as adverts go). then they because T mobile. what the fuck is T mobile? I get the mobile part, but T?
and when I'd want to top up my credit I'd have to listen to a 5 mins of crap about how they had changed for the better, before being told I had to now wait 30 mins for my top up to take affect instead of the almost-instant old way. yay for progress.
that was several years ago. I left them and never looked back.
...hey! i didnt make a 4 hour call to 1800-man-love.
Traditional Landline companies take customer privacy very seriously (at least the ones I worked for) but the new technologies - Mobility, cell, internet divisions/companies always seemed to be playing fast and loose with phone company policy. Very frustrating from the landline side of the house. Not that the landline divisions are much more secure but at least they generally have the right attitude to security.
The rock, the vulture, and the chain
From the latest CryptoGram by Bruce Schneier:
"T-Mobile suffered some bad press for its lousy security, nothing more. It'll spend some money improving its security, but it'll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers."
And I seriously doubt if the treatment of security would be or is any better from any of the other cellular carriers.
- SR
"God is a comedian playing to an audience too afraid to laugh." -- Voltaire
But i just finished compiling my embededd gentoo for it!
...and there will always be a way to get hacked. The only real solution is to unplug your computer from the 'Net, throw away your cell phone, Kill your TV (tm), turn off your analog phone, unplug your radio, sell your car (OnStar, I can help you), erase all your iPod songs... Sounds dull.
How do we know that Verizon, Sprint, AT&T or others are safe? T-Mobile should get hit with the liability for the identities of their violated customers, which would force them to tap their business liability insurance. That would force the other telcos insurance companies to force audits of them. We still wouldn't know whether we were protected, but it would be more likely. If a T-Mobile liability suit could find that T-Mobile violated its own published privacy policy, and held it accountable, that might force the other telcos down the same road, of honoring their own privacy policies. The same goes, of course, for all other personal info cachers, with their own toothless privacy policies. Until there's some serious consequences for lying about these responsibilities rather than backing them up, it's all wide open.
--
make install -not war
The problem is that there's no point [for Americans; there may be for people in other countries]. What, exactly, is getting a new cell phone provider going to do for you? It will punish T-mobile for not being careful with your data, which is deserved. But will it protect your data? Not really. Oh, if you use their data services you might prevent some eavesdropping or picture-stealing...or might not. T-Mobile got caught, but that doesn't mean the other services aren't having problems.
But it won't protect your personal data. That is out of your hands and has been for the last thirty years or so. Your personal information has already been given away or sold by ChoicePoint, the government, the credit bureaus, and everyone else. Your only option is to assume it's gone, check your credit report regularly, and hope someone isn't using your social security number. Identity theft isn't something you can do anything to prevent. You can only catch it in time, and then hope you can fix it. Despite all the rosy stories about how after 300 hours of work people managed to clear their names, there are real stories of people who don't get their money and credit ratings back. There simply haven't been any solid studies one way or the other -- it's all anecdotal.
No, I'm not fucking bitter at all.
What I say does not represent the views of my employers, my friends, my cats, or myself.
according to netcraft they are running win 2k for the server.
Evolution or ID?
What's the big deal about some hacker listening to your phone calls via the web? Everyone should know that cell is insecure. With a proper digital scanner anyone can listen to anyone's cell conversation within range. Unless your talking with your lawyer, in which case it is protected from court. Anyways don't talk over insecure communications as if they were secure. It is like sending something confedential in a plain text email. Don't do it.
The article says the site uses ASP, but that error message at the end sure looks like a Java stack trace to me.
Go ahead and waste your life with your inhibitions, just don't ruin other people's lives with your intolerances.
lets see, your network is so insecure that someone hacks into it using government accounts and steals private information from your company.
do you...
a) tighten your security on your network so it doesnt happen again
b) appoligize and place it on your "things to do" list or
c) dont change a damn thing but pay snoop dog and company mega bucks to advertise your new sidekick II?
if your t-mobile then c is the correct answer!
Good Karma, Bad Karma, doesnt matter to me... I'm still going to say whats on my mind!
If you try to go to their webmail, it chides you for not using a supported browser (Firefox 1.0 or Mozilla 1.7.3 for instance) and instead insists that you use an IE based browser and is actually broken in Gecko based browsers. It also has the feel of a crappy, thrown together site.
I read the internet for the articles.
Get More... Of other people's data... ;)
"Nature bats last..."
Sure pwning the network through their website doesn't help but you shouldn't be talking company secrets over a cell (for example) and not expecting someone, somewhere, to be able to hear you.
DAMN YOU OCTODOG! DAMN YOU TO HELL!
Anybody fooling enough to assume that material posted to a t-mobile website is SECURE pretty deserves whatever they get...
I've abandoned my search for truth; now I'm just looking for some useful delusions.
This is why I believe that phone should stay a phone, and not be a smart phone. I can't wait for the audio XXX spam. I want to see people's faces when their phone starts moaning like a wet whore in heat.
...and crashes all the time. Viva T-Mobile.
We can make the login page say "I like cheese" and cause server errors. Wee. These aren't holes so much as simple bugs, unless someone can point to a definite way to, say, log in as any user without a password, or get a list of account numbers, or something besides making the login form display some silly phrase.
Another statement the article makes is that the text bug "could be used in a phishing attack on T-Mobile customers, especially if you hex encoded portions of the URL." How? Wouldn't any phishing attack involve making the form submit to some place besides the official website? Doing so much as trying to insert an HTML tag produces a server error (which, I'm guessing, is intentional), so it wouldn't even be possible to close the form and open a new one in its place that submits to a rogue site.
Bears don't normally eat things that talk and move backwards.
So I'm sitting in a doughnut shop near Grand Ave in Oakland and there is apparently a T-Mobile store next door. Not knowing this at the time I turn on my wireless to see if I can score some free internet...and I get an open connection. After my internetting is done I peek at Network neighborhood (because I'm always curious to see *how* open someone's internet connection is) and Voila! I get direct access to the T-mobile store's *two* servers next door. OK, it wasn't exactly direct. I had to use my enormous hacking skills to put in a username of "Administrator" with a *blank* password when I tried to connect to the server). Bingo - direct access to ALL T-mobile business info *including* completed and pending credit info.
This is not a troll or a joke - it really happenned. I *like* T-mobile's phones...but their lack of security (well at least that one store's security anyway) scares me.
And here Microsoft was claiming that their Windowz server was sooooo secure.
o ic estream.com
http://uptime.netcraft.com/up/graph/?host=www.v
Someone care to explain?
Since this is a Java exception I can't think of a way to exploit it. I happen to write Java web frontends on a daily basis and some of the pages will throw exceptions if fed malformed parameters. Where is the problem?
I usually skim over GNAA posts, but that Dog Killing Gadget bit was a fucking riot!
Of course we usually mask the exception by some generic error page and log the stacktrace somewhere else but still I don't see where having the stacktrace could help someone break into the system.
A couple of days ago some ne'rdowell got a hold of my credit card number and started buying italian airline tickets with it. Fortunately, my credit card company noticed and gave me a call.
T-mobile is about the only website I give my credit card number to. Could their weak system be the culprit? I don't know enough about hacking to know if this is possible, but it seems like quite a coincidence...
https://my.t-mobile.com/Login/?rc=*yawn*
Don't encourage these idiots. This is by far the worst attempt at a troll ever. In fact, it is not even worthy of being modded Troll. That is almost like a compliment. These jokers' posts should simply be modded Overrated each time, so as not to draw any attention or recognition to any of them.
all at the same time. I switched from T-Mobile about a month ago. I could care less about pictures, phone calls or text messages. I hardly use text and haven't owned a camera phone ...
My only question is whether or not access has been gained on a large enough scale to SSN's and other personal data.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
the reaper BSD's I burnt out. I you get distract3d would be a bad I don't want to over the same some inteeligent
guess I should have used the preview button.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
i have them as a cellphone provider right now.
i chose them because of their inexpensive data rates and being the first on the market with the hp6315 ipaq phone. however they end up charging you minutes for calls that you don't answer and so many other miscellaneous things that i've already paid them the money to cancel my contract.
can one of you cell phone providers not suck?
http://www.cgisecurity.com/articles/xss-faq.shtml
I've been reading slashdot stories about USian mobile providers for a while and i still don't understand.
Whats this thing that i had to sign up with provider X because i want a phone Y?
So tell me what's the catch - is there no way to just buy a phone from the shop and sign a service contract with them? Do you have to rent it from your connection provider? Or lease it?
Why don't you just buy the phone you like and choose the provider you like?
In europe - where i'm from - it works like this: If you're not piss-poor, you buy a phone you want and choose a provider you like. If you're piss-poor, you sign some crappy contract with provider for some set time and they lease you a phone with some 200% markup.
Here excellent nokia models (400h standby time) start from about $80 here and will last for about 5 years at least- so surely it can't be the money issue...
http://www.cgisecurity.com/questions/sql.shtml
T-Mobile go to great pains to publish a privacy policy which claims they use industry standard practices such as SSL to protect private customer data, yet, when one tries to get customer support via their website they *require* your social security number on a non-SSL encrypted page.
If you make one up because the question is fairly general (like "when will Danger's servers come back up so I can get email again, I've been watching the 2 dot dance for 12 hours now") they will refuse to answer it and request your 'social' via email (also unencrypted).
After 12 round trip emails (I should stick them on my web site, they are fairly classic) it is clear they realize they have a privacy policy but they refuse to follow it.
I'm not surprised with the attitude and general ignorance I've encountered so far that they're having problems of a more serious nature.
Offtopic rant:
I've had my Sidekick Color for 1.5 yrs or so and the service has gone way downhill in the last 3-4 months or so. The connection to Danger's servers via GPRS is snappy, but it can take their server 1-2mins to fetch a web page and render it down (say, slashdot) -- even with images turned off.
Email also recently has gone suck: it used to be your email was pushed to the handheld realtime and you could read it when out of range, now it only pulls the email down when you open the email app and try to read (meaning you can't read email when out of range and have to wait for downloads when in range, which is quite slow due to the overloaded servers).
Overall my satisfaction with them has just about dipped to the point its worth buying new cell phones/pda's and finding another GPRS carrier. I think I'm stuck with a Palm thing though if I want to keep ssh over gprs (which I use a lot).
It is not as if any other provider has their business together much better, it's just that T-Mobile has come in publicity with it.
Asp.net 1.1 by default blocks the submission of form variables that contain html tags. Thats the error you get back, the developers didn't even bother to check it themselves. This check didn't exists in version 1.0 which makes me wonder how old this page is. But due to the stupidity of web developers, Microsoft added it.
Have you ever been to a turkish prison?
am i the only one who hasn't owned T-mobile?
That last line should be:
A system in which an attacker can only cause a failure of which one party will be notified is more secure than a system in which an attacker can cause a failure of which neither party is notified.
Numerous reasons the US wireless telecom industry sucks.
The main reason for what you're seeing, though, is that unlike Europe, we have several competing standards. GSM is finally starting to spread, but additional standards are still common.
So 1: your phone has to match your network standard. If you're not using a GSM provider, you're pretty much left with nowhere but the provider (or an authorized reseller, which just sells the same phones anyway) to buy a phone. And even if you could buy a phone elsewhere for a non-GSM network, it would still have to be programmed by your provider to work.
1a: Not all GSM providers are using the same frequency. And in the case of Cingular, they're not even always using the same frequency across their entire service area.
2: Providers are all over exclusivity contracts. Cingular, for example, is the only provider that can offer the Motorola RAZR V3. When Cingular merged with AT&T, Sony-Ericsson phones mysteriously disappeared from the other providers. In some cases, the manufacturer is still able to offer the phone unlocked and without activation to the general public. But...
3: Unlocked phone prices are outrageous. The US providers heavily subsidize the phones they sell (and SIM lock them). Without activation, the RAZR V3 is $600. With activation, it's $260. Prices for other phones are similarly disparate. Nokia's N-Gage runs $200 unlocked. Up until recently, you could get it for between $0 and -$150 (you made $150 by buying the phone) if you shopped around and signed into a new contract. And all this is assuming you can find a handset that's offered unlocked and without a plan. Most models simply aren't available that way. (For reference, the cheapest handset Nokia offers here "handset only" is $130.)
You buy the phone, you pay for the service, and unless you want to hemorrhage at the wallet, you select from the phones offered by your provider.
I and many others wish the wireless here was more like it is in Europe, but we're damn well screwed in the mean time.
What I don't get is that this was apparently done via an SQL injection attack. What kind of moron writes a web application where this is even possible? I write B2B applications for a living and I just don't understand why you'd have a scenario where you execute SQL from a GET or POST request. I suppose a developer not knowing the HTTP protocol might help...
The bottom line is that a corporation T-Mobile or otherwise should perform due diligence to protect its customers from security threats. Period. Especially in terms of information involving personal information, and /or credit cards etc. T-Mobile and like companies should be compelled to pay its customers for each security breach.
Hit them in the balance sheet.
We'll never see this happen in the U.S. though because it will cost companies' money.
Dood they are Germans, they got better things to do like dance and touch monkeys.
SQL Injection is one of the easiest flaws to find and is an easy thing to overlook when you are in a rush and developing under ASP.
At least PHP has "magicquotes" to somewhat protect newbies. Although one could argue that this can give a false sense of security I suppose.
voice your opinnion, just dont be lude because theyll start hanging up on anyone who calls for bruce brown. hehehe.
Home Office:
12920 SE 38th Street.
Bellevue, WA 98006
1-800-318-9270
Robert Dotson President and Chief Executive Officer
Sue Swenson Chief Operating Officer
Mike Butler Chief Marketing Officer
Bruce Brown Chief Information Officer
Cole Brodman SVP Product & Systems Development, Chief Development Officer
Dave Miller Senior Vice President, General Counsel and Secretary
Brian Kirkpatrick Executive Vice President and Chief Financial Officer
Tim Wong Executive Vice President and Chief Technical Officer
T-Mobile Anyone Minutes
*yawn*
Crackberries have secure end-to-end encryption. The corporate plans do, anyway... I haven't kept up on their latest stuff.
When I signed up to T-Mobile. They were VoiceStream at the time. There was a huge flaw. To to create an account they would SMS the password to your phone AND show it in a popup dialog on screen. It looked like some debug code made it to production. I had fun all weekended playing with peoples accounts.
Since then I have assumed there security was very bottom rung.
http://img.prod1.dngr.net/img/voicestream/componen ts/header/prepay_masthead.bmp
That's pretty sad when the web developer doesn't even know how to create a basic website correctly. I only noticed this because when pages load, BMP's load from the bottom up, not top down because the format is backwards.
yes
because Cingulars website sucks donkey balls and their phone and plan options are insanely confusing.
i'll revisit cingular in a several years when they've finished borging at&t wireless and rolling out all new towers in hopes that it'll be better. sheesh.
(no offense to those who think donkey balls taste good)
It's funny that the so-called security expert can't tell the difference between sites running on IIS and on servlet containers.
His very last example exploit showed clearly that the support.t-mobile.com site was in fact running on Resin, and the NumberFormatException indicates that at least in this case, the input parameters were being validated. You should notice that there is not a single class in the stack trace from a JDBC driver, and that the parameter was being converted to an integer. Hence no danger of an SQL injection attack. I'm not saying that it was handled 100% correctly by the app's programmer -- you should never let the user see that kind of error page. In any case, I would honestly expect that an expert such as the author of that article would have at least a little experience writing servlet-based apps and knowlege of how to read a Java stack trace.
I'll probably be kicked from slashdot, since I violated its code of conduct by actually reading the article, but since when is a java parseInt Exception an SQL Injection opportunity?
In fact, the parseInt may protect the SQL from being manipulated. Likewise with the script tag injection. He tries it, it doesn't work. Admittely there is no nice errors message, but it still doesn't work.
This is just a tailgating article.
I'm still trying to figure out what people mean by 'social skills' here.
Very likely I am wrong, and they do use alternative or additional measures...and maybe it was a personal account that was handled. But in the age of Homeland Security and all that, I am left with curiosity.
I took this as a que to scan some of the local providers.. Be very afraid..
Privacy is a myth anyways, get over it.
"A learning experience is one of those things that says, 'You know that thing you just did? Don't do that.'" - DNA
Here's what those nasty bugs let you see:
http://www.nextwish.org/parishilton/book.html
I have inside knowledge of t-mobile.com architecture and can assure that security is taken very seriously. Reading the posts on this board are brutal and make it sound like the site is wide open and this is not the case. At the most fundamental levels the bi-directional encryption algorithm and identity management architecture are very strong when properly implemented. In addition to site security there are also log files that generally tell the story after the fact. I do however agree with the post that wireless company websites move much faster that wireline and that the race to market can result in security holes especially as the site grows very large. The flaw that Nick Jacobson exploited was a legacy process between tmo site and a partner site that was not implemented according to standards. This hole was patched and Nick is now awaiting sentencing. The "more holes" found by Jack Koziol at infosecinstitute makes for nice screen shots but won't get you past the home page. That issue is getting a patch as well. As for Paris Hilton it was really an unfortunate social engineering hack. Please rest assured that substantial resources and effort are continually spent to safeguard customer data. -sleepless developer