Earlier today, I reported on the publication of Paris Hilton’s personal information that was stored in her T-Mobile Sidekick II. I did some more research and learned that the information published today is at least similar to information that Nicolas Jacobsen stole during the period from August to October 2004.
This information and a good deal more was reported in the article Secret Service Hacker, How Did He Do It? on the Ethical Hacking and Computer Forensics weblog.
Included in this article are a whole series of illustrations of potentially dangerous vulnerabilities in the my.t-mobile.com website’s login page. This is the gateway to T-Mobile’s website for customer-facing mobile Internet applications. These vulnerabilities lead Jack Koziol of the InfoSec Institute to conclude that my.t-mobile.com’s login page may be vulnerable to SQL Injection attacks.
Many of the my.t-mobile.com vulnerabilities documented in this article are still problems today. This is very disturbing given the huge amount of information that T-Mobile has stored in their database, and the fact that the relationship between my-tmobile.com and the server at Danger, Inc. that serves as the repository for Sidekick II data is now explained.