Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT

More Holes Found in T-Mobile Website 183

mogwhat writes "Even though T-Mobile's website was decisively hacked into over a year ago by now (in)famous cracker Nick Jacobsen, a blog posting by computer security expert Jack Koziol details many serious security holes in various T-Mobile websites. You would think that T-Mobile would have paid attention the first time? Time to get a new cell phone provider!"
This discussion has been archived. No new comments can be posted.

More Holes Found in T-Mobile Website

Comments Filter:
  • by Tackhead ( 54550 ) on Friday February 18, 2005 @03:48PM (#11716497)
    Can you pwn me now?
    Can you pw*404*

    Aaw crap. I guess he could.

  • Don't get it... (Score:4, Insightful)

    by numLocked ( 801188 ) on Friday February 18, 2005 @03:49PM (#11716506) Homepage Journal
    I just find myself not caring. Great, another company has an insecure website. Can someone explain why this is a big deal?
    • I just find myself not caring. Great, another company has an insecure website. Can someone explain why this is a big deal?

      You're getting confused with those online casinos.
    • I mean, how does the security of a cell provider's web page affect their service overall? If they have fewer dropped calls, better coverage, etc. I could really care less if their web admins don't really know what they're doing.
    • Re:Don't get it... (Score:5, Informative)

      by generationxyu ( 630468 ) on Friday February 18, 2005 @03:53PM (#11716562) Homepage
      The issue is that when Nick Jacobson owned T-Mobile's website, he used that to gain access to their entire network -- every picture sent or recieved, every text message, possibly even phone calls. He owned a good portion of the company.
    • If you one of their customers you'd care.
      btw i just canceled i'm going to get a nextel over the weekend.
    • Because I had never had a problem using my credit card online, until one day I decided it would be nice to stop paying my cell phone bill by check. Three days later I was screwed out of $200.
    • "Can someone explain why this is a big deal?"

      Because the cracker is going through the courts, while the company which allowed other peoples' information to be released, and did nothing about it when they were found out isn't...?
  • Tmobile SUX (Score:4, Insightful)

    by JhohannaVH ( 790228 ) on Friday February 18, 2005 @03:50PM (#11716521) Journal
    Now the question is how the hell we get our company to switch after moving alllll of our crackberries to T-Mobile, and we are constantly having issues.
    And with all of this privacy concern, what kind of liability does that put T-Mobile at when sensitive market data can be compromised? *SCARY*
    • Re:Tmobile SUX (Score:4, Informative)

      by medication ( 91890 ) on Friday February 18, 2005 @04:04PM (#11716702) Journal
      If sensitive market data is being sent via email your provider is the least of your worries. Email is an inherently insecure form of information transfer (without encryption). In addition to that I can't imagine that T-Mobile doesn't have something in their contract legalese that explicitly says that they are not responsible for the security of email passed through their systems.
      • Re:Tmobile SUX (Score:1, Informative)

        Email doesn't get any more secure when you encrypt your data, your data does. STMP communication is still as vulnerable to interception as it ever was, it's just that now the intercepted data is, largely, useless.
      • Even with encryption I wouldn't describe email as "secure." People can still DoS you by swamping you with spam, or cause a mail server to drop your message without delivering it. As far as I'm concerned, a communication medium which lets attackers block messages from reaching their destinations is not really secure.

        I realize that by that logic the entire internet isn't really secure, but email is significantly worse than other systems because (by default at least) it has no method for stopping unauthentic

        • By your definition, nothing is "secure" and the word is meaningless.

          You could build a fortress out a 20 foot thick lead walls, and it wouldn't be "secure" because someone could shoot you on the street outside on your way there.

          • As I mentioned in my post, it's not the best definition in the world, but the point remains that email is ridiculously easy to disrupt when compared to other methods of communicating over the internet.
          • By your definition, nothing is "secure" and the word is meaningless.

            Disagree -- there exist, or can exist, systems with better security properties than encrypted email. On can, for instance, build a messaging system which will guarantee that the sender will be notified within [X] hours if the message hasn't been received by the recipient. Sure, the messanger you hired might be shot on his way over to your buddy's fortress (or his way back with the signed receipt) -- but you'll find out that he's missing.
    • Use T-Mobiles SLA against them to get out of the contract. i used to work for radio shack and we sold sprint products there... ever cell phone company has a Service level aggreement within their contracts that states that if service is interupted for extended time or if there is reasonable doubt that continuing service with them will cause you to lose finanical information . then they have to let you out of the contract..no questions asked
    • ...sensitive market data can be compromised?
      If it's sensitive to anybody besides your company (e.g. comes under SEC, HIPAA, GLB, SOx, CA1798 etc.) then y'all are going to get crucified in your next audit...
  • Ah well... (Score:4, Informative)

    by Gangis ( 310282 ) on Friday February 18, 2005 @03:51PM (#11716532) Journal
    I wish I could switch to a provider that protects their "secured" website better than T-Mobile but they're the only company that provides the Sidekick II in the United States. And I can't really use other phones because of my hearing disability.

    I hate the feeling of being trapped to one provider because they have something the others don't, even though they treat their customers like complete and utter shit. T-Mobile customer service leaves quite a lot to be desired.
    • Re:Ah well... (Score:1, Flamebait)

      by DoorFrame ( 22108 )
      I've had great experiences with the TMobile customer service department as well as their phone service in general. I highly recommend them.

      Maybe it's because I can hear.
      • I tried T-Mobile for about a week in 2002. It was the worst experience ever! My biggest complaint was that their voicemail notifications (at least for the model phone I had) were given by a text message. Everytime someone left a voicemail, I would get a text message telling me so. I prefer systems that utilize the voicemail indicator that's built into the phone - you know, the one that goes away after you listen to the message.

        I'm currently locked into a contract with Sprint for one more year and I can't

      • Despite the bad natured postscript, I fully agree. T-Mobile has excellent customer service, decidedly better than verizon or cingular. It is possible that the gp's customer service complaints are related to his disability.

        Also, in the two areas I frequent (Chicago Metropolitan area and Downstate IL), I've never had ANY service problems or interference in normal conditions. So maybe we're talking about two different T-Mobiles.
    • I hate the feeling of being trapped to one provider because they have something the others don't, even though they treat their customers like complete and utter shit. T-Mobile customer service leaves quite a lot to be desired.

      Well, I don't know how many other cell phone providers you have dealt with (being that you are hearing disabled) but I have dealt with a couple and currently T-mobile (as crappy as they can be at times) are a whole world apart from the others I have had the unfortunate luck to deal w
      • You're right... I haven't had to deal with many operators, but I do know when I'm getting the short end of the stick.

        Oh yeah, I've had those problems. Actually, it's been happening ever since the Sidekick II was released. They recently had an extended downtime for "system upgrades" (which didn't change a damn thing at all... Emails keep bouncing, AIM refuses to sign on, webpages fail to load) and yes, they keep shrugging it off and blaming me. Feh.
  • Just wondering... (Score:5, Insightful)

    by hollismb ( 817357 ) on Friday February 18, 2005 @03:51PM (#11716535) Homepage

    Why is it that every time a Slashdot news story gets posted, a riducilousy inane comment or question has to be appended to the actual news item?

    Could this be the lamest thing ever?

    • It's the Slashdot way. Typically, people who submit comments would like to give a little initial direction to discussion. If the submitter doesn't add a question, the editor usually does.

      Though if the submitter does append a question, the editor occasionally gives his own answer, or a link to some additional information he googled up before the story went live.
    • Re:Just wondering... (Score:4, Informative)

      by Rosco P. Coltrane ( 209368 ) on Friday February 18, 2005 @04:00PM (#11716660)
      Insightful my hiney. I read the front page right now, i.e. 14 blurbs, and I count 2 that end with a question, one of them being the one you complain about, and the other being a valid question imho.

      This said, I agree that the questions are sometime s lame (like this one). Probably submitters feel compelled to leave the blurb open-ended to start the thread of discussion, out of fear of seeing the "important news" fall flat on its face, and it sometimes really is quite annoying.
    • Why is it that every time a Slashdot news story gets posted, a riducilousy inane comment or question has to be appended to the actual news item?

      Could this be the lamest thing ever?


      I'd just like to point out that this seems to be an unintentional metajoke.

      Due to the mock inane question added to the end hahaha
    • It's because everyone uses the Slashdot Random Story Generator [bbspot.com] to write their submissions.
  • Umm... (Score:5, Insightful)

    by suwain_2 ( 260792 ) on Friday February 18, 2005 @03:51PM (#11716538) Journal
    Time to get a new cell phone provider!

    Because of their website?

    I'm willing to bet that the guy in charge of coding the backend for their site is not the same guy setting up the telephone network.
    • Re:Umm... (Score:5, Insightful)

      by m50d ( 797211 ) on Friday February 18, 2005 @03:55PM (#11716588) Homepage Journal
      No, but the guy who hired him (or the guy who hired that guy, or so on up the chain), and didn't do something about it when he failed the first time, is the same guy who hired the guy who runs your telephone network, and is responsible for ensuring he does a good job. Still feel happy using them?
    • Well, based on the quality of their telephone network, I wouldn't be suprised if it is the same guy.
    • I think the implication is that because a) Nick Jacobsen was able to compromise T-Mobile accounts, including Paris Hilton's and b) Jack Koziol can show some trivial text injection that I'm not sure even qualifies as a bug...

      Come to think of it, you're right. What is the point of this? But, anyway, the issue is account management and security, not the telephone network.

    • Re:Umm... (Score:3, Insightful)

      Because of their website?

      I'm willing to bet that the guy in charge of coding the backend for their site is not the same guy setting up the telephone network.


      Yes, but one could argue that a website is like a logo, or a sales sheet, or a press kit: it's what represents the values the companies want to convey across, and if they suck, there's a strong hint that the rest of the company may suck too. It's not always true though, as Microsoft, its shiny frontpage and not-so-good OS demonstrates, but more often
  • by elzbal ( 520537 ) <elzbal@y[ ]o.com ['aho' in gap]> on Friday February 18, 2005 @03:52PM (#11716543) Homepage
    TMobile Customers should let TMobile know that we care about security issues on their website, and that we consider this to be very important for our continued relationship with them!
  • Not little known (Score:5, Informative)

    by Rosco P. Coltrane ( 209368 ) on Friday February 18, 2005 @03:53PM (#11716560)
    little known, but the Secret Service have jurisdiction over counterfeiting crimes

    It's not a little known fact amongst people who follow the hacking/cracking/phreaking/carding scene, even loosely. Read the excellent book the hacker crackdown [mit.edu] by Bruce Sterling for an informative account of what the SS does (and also does spectacularly wrong).
  • by rokzy ( 687636 )
    I liked them when they were One2One. the service was (in my experience) decent and the adverts were interesting (as far as adverts go). then they because T mobile. what the fuck is T mobile? I get the mobile part, but T?

    and when I'd want to top up my credit I'd have to listen to a 5 mins of crap about how they had changed for the better, before being told I had to now wait 30 mins for my top up to take affect instead of the almost-instant old way. yay for progress.

    that was several years ago. I left them a
    • by adpe ( 805723 ) on Friday February 18, 2005 @04:03PM (#11716691)
      T-Mobile is a german company. Originally it was called "Telekom" which is short for "Telecommunication", then they split up their departments into T-Com (responsible for telephone services), T-Onlien (ISP services), T-Systems (business solutions) and T-Mobile (mobile communication). They just kept the name when buying themselves into the US market.
    • One2One is only meaningful in English, but T mobile works in most European languages. (Almost all that use Latin alphabet, anyway).

      Some people dont speak English at all!

      • One2One is only meaningful in English, but T mobile works in most European languages. (Almost all that use Latin alphabet, anyway).

        Some people dont speak English at all!


        Well, their main customer base is american after all...
        • Well, their main customer base is american after all...

          That being the case, they could have called them selves "T-Cell" but this might result in some confusion, protests, and mayhem. "T-Cell - Get more from life!"

    • I thought they were VoiceStream before getting boucht up by Deutsch Telecom
  • Phone Company's (Score:5, Informative)

    by Fox_1 ( 128616 ) on Friday February 18, 2005 @03:54PM (#11716569)
    Traditional Landline companies take customer privacy very seriously (at least the ones I worked for) but the new technologies - Mobility, cell, internet divisions/companies always seemed to be playing fast and loose with phone company policy. Very frustrating from the landline side of the house. Not that the landline divisions are much more secure but at least they generally have the right attitude to security.
  • by Sunrun ( 553558 ) <(drew.kalbrener) (at) (gmail.com)> on Friday February 18, 2005 @03:54PM (#11716576) Homepage
    From the latest CryptoGram by Bruce Schneier:

    "T-Mobile suffered some bad press for its lousy security, nothing more. It'll spend some money improving its security, but it'll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers."

    And I seriously doubt if the treatment of security would be or is any better from any of the other cellular carriers.


    - SR
  • by Anonymous Coward
    But i just finished compiling my embededd gentoo for it!
  • Obscured Security (Score:5, Interesting)

    by Doc Ruby ( 173196 ) on Friday February 18, 2005 @03:58PM (#11716618) Homepage Journal
    How do we know that Verizon, Sprint, AT&T or others are safe? T-Mobile should get hit with the liability for the identities of their violated customers, which would force them to tap their business liability insurance. That would force the other telcos insurance companies to force audits of them. We still wouldn't know whether we were protected, but it would be more likely. If a T-Mobile liability suit could find that T-Mobile violated its own published privacy policy, and held it accountable, that might force the other telcos down the same road, of honoring their own privacy policies. The same goes, of course, for all other personal info cachers, with their own toothless privacy policies. Until there's some serious consequences for lying about these responsibilities rather than backing them up, it's all wide open.
  • by Daedala ( 819156 ) on Friday February 18, 2005 @03:58PM (#11716619)
    The problem is that there's no point [for Americans; there may be for people in other countries]. What, exactly, is getting a new cell phone provider going to do for you? It will punish T-mobile for not being careful with your data, which is deserved. But will it protect your data? Not really. Oh, if you use their data services you might prevent some eavesdropping or picture-stealing...or might not. T-Mobile got caught, but that doesn't mean the other services aren't having problems.

    But it won't protect your personal data. That is out of your hands and has been for the last thirty years or so. Your personal information has already been given away or sold by ChoicePoint, the government, the credit bureaus, and everyone else. Your only option is to assume it's gone, check your credit report regularly, and hope someone isn't using your social security number. Identity theft isn't something you can do anything to prevent. You can only catch it in time, and then hope you can fix it. Despite all the rosy stories about how after 300 hours of work people managed to clear their names, there are real stories of people who don't get their money and credit ratings back. There simply haven't been any solid studies one way or the other -- it's all anecdotal.

    No, I'm not fucking bitter at all.
    • So what exactly is wrong with taking some personal responsibility towards your data?

      ID theft doesn't happen online. The overwhelming majority of cases happen where someone snarfs the carbon copies from a credit card purchase out of the dumpster behind the 7-11. What can you do about it? Take the carbons with you (if you encounter an old-school carbon copy card thingamajob), and like you said, pay attention to your own credit.

      You aren't liable for fraud perpetrated in your name. "ID theft" is a nice bu
      • I'm sorry, I'm in the middle of moving and don't have the time to look up my sources.

        But: 70% of id theft is from insider data theft. The studies that say "most id theft is from stealing wallets/dumpster diving/etc" are talking about cases where people know how they lost the data. It's easy to know if your wallet's gone walkabout. Most people simply don't know where their data went or how. Search for "University of Michigan" and id theft to find the study. There is nothing that anyone can do about insider
    • Protecting your identity is really very easy. I have been doing it without problem for a quite a while.

      First - don't pay your bills on time. Wrack up lots of late fees, and never pay them.

      Second - default on your student loans, if you have any.

      Third - Don't pay your late fees and switch job frequently to aviod a wage garnish for the student loans you have defaulted on.
      All this will result in a VERY poor credit rating. End result - no one wants my identity, and even if they did, they couldn't get a cred

  • netcraft (Score:5, Informative)

    by millahtime ( 710421 ) on Friday February 18, 2005 @03:59PM (#11716635) Homepage Journal
    according to netcraft they are running win 2k for the server.
  • ASP or Java? (Score:4, Informative)

    by progbuc ( 461388 ) on Friday February 18, 2005 @04:04PM (#11716704)
    The article says the site uses ASP, but that error message at the end sure looks like a Java stack trace to me.
    • Re:ASP or Java? (Score:3, Interesting)

      Could be both. One part of the website may run using ASP (my.t-mobile.com) and other part looks to be using servlets (support.t-mobile.com) at least somewhere for some function(s). In fact the my.t-mobile.com source indicates that it was coding language is C#.

    • That error [t-mobile.com] was simply a java script bug in executying their little flyout tree for plan information which can be seen by removing the trailing apostrophe from the URL. See here: http://support.t-mobile.com/plan.html?treeName=pla ns&path [t-mobile.com] Certainly poor error handling, but not much of an exploit.
      • Umm no thats a java servlet stack trace. Javascript != Java. And servlets are a server technology and HTTP 500 error is a webserver produced error. And apostrophe that causes an error is usually a clear indication of a sql injection vunerability but looking at the stack trace it's just a parse error trying to take a string and convert it to an int.
  • by L1nux_L0ser83 ( 860647 ) on Friday February 18, 2005 @04:07PM (#11716738) Homepage Journal
    lets see, your network is so insecure that someone hacks into it using government accounts and steals private information from your company.

    do you...
    a) tighten your security on your network so it doesnt happen again

    b) appoligize and place it on your "things to do" list or

    c) dont change a damn thing but pay snoop dog and company mega bucks to advertise your new sidekick II?

    if your t-mobile then c is the correct answer!
  • If you try to go to their webmail, it chides you for not using a supported browser (Firefox 1.0 or Mozilla 1.7.3 for instance) and instead insists that you use an IE based browser and is actually broken in Gecko based browsers. It also has the feel of a crappy, thrown together site.
  • T-Mobile (Score:3, Funny)

    by ectotherm ( 842918 ) on Friday February 18, 2005 @04:09PM (#11716757)
    Get More... Of other people's data... ;)
  • Well... (Score:2, Insightful)

    Anyone that is using a Cellphone and expecting a secure and private communication is seriously deluding themselves.

    Sure pwning the network through their website doesn't help but you shouldn't be talking company secrets over a cell (for example) and not expecting someone, somewhere, to be able to hear you.

  • To all those crackers out there: you're welcome to have copies of all the baby pictures I've posted to T-mobile! Hey, all you had to do was ask, no need to break security!

    Anybody fooling enough to assume that material posted to a t-mobile website is SECURE pretty deserves whatever they get...

  • This is why I believe that phone should stay a phone, and not be a smart phone. I can't wait for the audio XXX spam. I want to see people's faces when their phone starts moaning like a wet whore in heat.
  • So? (Score:3, Insightful)

    by Storlek ( 860226 ) on Friday February 18, 2005 @04:20PM (#11716868)
    We can make the login page say "I like cheese" and cause server errors. Wee. These aren't holes so much as simple bugs, unless someone can point to a definite way to, say, log in as any user without a password, or get a list of account numbers, or something besides making the login form display some silly phrase.

    Another statement the article makes is that the text bug "could be used in a phishing attack on T-Mobile customers, especially if you hex encoded portions of the URL." How? Wouldn't any phishing attack involve making the form submit to some place besides the official website? Doing so much as trying to insert an HTML tag produces a server error (which, I'm guessing, is intentional), so it wouldn't even be possible to close the form and open a new one in its place that submits to a rogue site.
    • Asp.net 1.1 by default blocks the submission of form variables that contain html tags. Thats the error you get back, the developers didn't even bother to check it themselves. This check didn't exists in version 1.0 which makes me wonder how old this page is. But due to the stupidity of web developers, Microsoft added it.
  • by Anonymous Coward on Friday February 18, 2005 @04:24PM (#11716910)
    So I'm sitting in a doughnut shop near Grand Ave in Oakland and there is apparently a T-Mobile store next door. Not knowing this at the time I turn on my wireless to see if I can score some free internet...and I get an open connection. After my internetting is done I peek at Network neighborhood (because I'm always curious to see *how* open someone's internet connection is) and Voila! I get direct access to the T-mobile store's *two* servers next door. OK, it wasn't exactly direct. I had to use my enormous hacking skills to put in a username of "Administrator" with a *blank* password when I tried to connect to the server). Bingo - direct access to ALL T-mobile business info *including* completed and pending credit info.

    This is not a troll or a joke - it really happenned. I *like* T-mobile's phones...but their lack of security (well at least that one store's security anyway) scares me.
    • [Disclaimer: Slightly off topic].

      I *like* T-mobile's phones...

      Err, T-Mobile doesn't make phones. Since you can get any phone T-Mobile offers from online retailers, their phones shouldn't really influence your choice of provider. Unless you're willing to get roped into a contract for the sake of saving a hundred bucks on a phone. It's often not worth it. There are very good sites online to buy unbranded GSM phones, such as ustronics.com, mobilecityonline.com, and expansys.com to name a few. And good rev

  • Someone care to explain?
    Since this is a Java exception I can't think of a way to exploit it. I happen to write Java web frontends on a daily basis and some of the pages will throw exceptions if fed malformed parameters. Where is the problem?
  • Credit Card Numbers? (Score:2, Interesting)

    by spud603 ( 832173 )
    A couple of days ago some ne'rdowell got a hold of my credit card number and started buying italian airline tickets with it. Fortunately, my credit card company noticed and gave me a call.
    T-mobile is about the only website I give my credit card number to. Could their weak system be the culprit? I don't know enough about hacking to know if this is possible, but it seems like quite a coincidence...
  • all at the same time. I switched from T-Mobile about a month ago. I could care less about pictures, phone calls or text messages. I hardly use text and haven't owned a camera phone ... My only question is whether or not access has been gained on a large enough scale to SSN's and other personal data.
  • i have them as a cellphone provider right now.

    i chose them because of their inexpensive data rates and being the first on the market with the hp6315 ipaq phone. however they end up charging you minutes for calls that you don't answer and so many other miscellaneous things that i've already paid them the money to cancel my contract.

    can one of you cell phone providers not suck?
  • by Anonymous Coward
  • Dood they are Germans, they got better things to do like dance and touch monkeys.
  • http://img.prod1.dngr.net/img/voicestream/componen ts/header/prepay_masthead.bmp

    That's pretty sad when the web developer doesn't even know how to create a basic website correctly. I only noticed this because when pages load, BMP's load from the bottom up, not top down because the format is backwards.
  • It's funny that the so-called security expert can't tell the difference between sites running on IIS and on servlet containers.

    His very last example exploit showed clearly that the support.t-mobile.com site was in fact running on Resin, and the NumberFormatException indicates that at least in this case, the input parameters were being validated. You should notice that there is not a single class in the stack trace from a JDBC driver, and that the parameter was being converted to an integer. Hence no dang
  • I'll probably be kicked from slashdot, since I violated its code of conduct by actually reading the article, but since when is a java parseInt Exception an SQL Injection opportunity?

    In fact, the parseInt may protect the SQL from being manipulated. Likewise with the script tag injection. He tries it, it doesn't work. Admittely there is no nice errors message, but it still doesn't work.

    This is just a tailgating article.

"The one charm of marriage is that it makes a life of deception a neccessity." - Oscar Wilde

Working...