T-Mobile Log-In Security Vulnerability

february 28, 2005

The other day, I read a report that showed how one could change the default text for My T-Mobile page. That really isn't a security vulnerability per se, but here's one that I discovered that could be a huge hole for T-Mobile. If you go to their My T-Mobile page, you'll noticed that in the URL, the T-Mobile web team has encoded the URL for where you would be redirected to after you have been authorized to enter the site. This vulnerability would not get the login credentials of a person, but if the person logging in does not look at the URL (and most casual users won't), then they can be redirected to a page that looks like a T-Mobile page for which information could be phished from them. Here is an example. Click HERE if you have a T-Mobile account. Type in your username and password. Your data will not be sent to me, but it'll be authorized through T-Mobile's servers. Right after the authorization, you'll be sent to my website. The crafted URL for the above example is:

https://my.t-mobile.com:443/Login/Default.aspx?rc=&dest=http%3a%2f%2fwww.ultramookie.com
You can see how my URL is encoded into it. The correct URL is:
https://my.t-mobile.com/Login/?rc=&dest=http%3a%2f%2fmy.t-mobile.com%3a80%2fDefault.aspx
Notice how the "dest" variable is set for http://my.t-mobile.com:80/Default.aspx? If someone wants to phish around for information, they could build a page that looks just like the My T-Mobile page and use this redirection to send users over (using some sort of social engineering) to the fake page. Then they can get whatever information they want out of the user. T-Mobile needs to redo their My T-Mobile page and either hide the redirect, or do some sort of validity check during the authorization phase to detect for bad redirections. So there you have it, another T-Mobile vulnerability.