Last week I reported that the My.T-Mobile.com Website still had some potentially dangerous vulnerabilities. I concluded this because I was able to repeat some of the HTML and JavaScript modifications to the My.T-Mobile.com login screen illustrated in the article Secret Service Hacker, How Did He Do It? that was published on the Ethical Hacking and Computer Forensics weblog.
I’m happy to report that these vulnerabilities appear to have been fixed by T-Mobile’s system administrators. I re-checked the vulnerabilities after reading Wired News‘ article called Known Hole Aided T-Mobile Breach.
The Wired News article indicates that sources close to the Federal case against Nicolas Jacobsen reported that the exploit Jacobsen used to gain access to T-Mobile customer information was a vulnerability in the Weblogic application server that was discovered in 2003. The patch for this vulnerability has been available for most of that time, but T-Mobile reportedly failed to apply it until now.
The Wired News article goes on to quote Peter Dobrow, a spokesman for T-Mobile, who reportedly said that the company closed the holes that Jacobsen exploited. This is a very good development for T-Mobile customers around the country, and I felt that it was important to discuss it in detail here on Operation Gadget.