T-Mobile online: Code injection heaven

Ethical Hacking and Computer Forensics - ” Secret Service hacker, how did he do it?” (thanks Clint)

Interesting piece that starts off talking about the guy who had broken into a number of T-Mobile accounts, and how he may have done it. The author tests a number of basic code injection attacks, and finds that even after the fact, T-Mobile has left numerous holes in their system:

To further corraborate that Nick used a web application hack, most likely SQL Injection (a little research shows that the T-Mobile site uses IIS/ASP/SQL Server, which happens to be the easiest and most well documented platform for SQL Injection attacks), we can check out the website and try to put some invalid input into the T-Mobile login page. I was very surprised with the results, we can still put all sorts of crazy input into the login page! It is still vulnerable, even after one of the largest, most well known, and high profile hacks in the last couple of years!

Perplexing and sad that a company with the resources — and recent embarassment — of T-Mobile apparently can’t or won’t address basic web app security.