Secret Service hacker, how did he do it?
A summarization of affidavit, is that Nick was already under investigation by the Secret Service, hacked into T-Mobile, where was able to access accounts including those of agents in the Secret Service that were investigating him for other activities. He found that they had been monitoring his conversations over ICQ, (Nick's ICQ # was 23292256). Nick also discovered a number of Secret Service documents that an Agent, Peter Cavicchia, had left in his inbox unencrypted. Nick posted on muzzfuzz that he was selling T-Mobile account information, offering:
reverse lookup of information for a tmobile cell phone, by phone number at the very least, you get name, ssn, and DOB at the upper end of the information returned, you get web username/password, voicemail password, secret question/answer, sim#, IMEI#, and more.
Also of interest, he went on to access Paris Hilton's account and capture some of the pictures she had been taking with her camera. Now, here is where it gets interesting. How did Nick get into T-Mobile? Did he use an IIS exploit? Did he hack the web interface for T-Mobile accounts?
The affidavit from Nick's case states that he was observed logging into a specific server, http://login.sidekick.dngr.com, with Agent Peter Cavicchi's account information. While this site itself is hosted by Danger, Inc., the makers of the Sidekick device used by Agent Cavicchi, it appears that the same username/passwords that are used on the primary T-Mobile login page, https://my.t-mobile.com/Login, can also be used to log into this page. We also get some very valuable information from the affidavit, that will help us narrow down how Nick hacked these accounts (the CI is a Confidential Information, who was working with the Secret Service to bring Nick in, ethics is the semi-ironic pseudonym Nick chose for himself):
On or about October 19, 2004, Ethics sent a private message to the CI which contained a link that provides unauthorized access to the T-Mobile database. This link allows a user to input a phone number ultimately allowing access to the user’s personal information.
This information leads me to believe it was likely a web application attack, not a "traditional" buffer overflow attack against a server storing account information. Although it is possible to peform a buffer overflow against a program by passing input through a web app, we can also read Nick's resume on SecurityFocus, and see that he doesn't seem to have enough experience in that area. Unless he picked up a copy of The Shellcoder's Handbook last year. ;)
To further corraborate that Nick used a web application hack, most likely SQL Injection (a little research shows that the T-Mobile site uses IIS/ASP/SQL Server, which happens to be the easiest and most well documented platform for SQL Injection attacks), we can check out the website and try to put some invalid input into the T-Mobile login page. I was very surprised with the results, we can still put all sorts of crazy input into the login page! It is still vulnerable, even after one of the largest, most well known, and high profile hacks in the last couple of years! Let's try some (notice the error text on the resulting T-Mobile webpage):
While this is a very, very lame bug, it could be used in a phishing attack on T-Mobile customers, especially if you hex encoded portions of the URL. We also find a little more serious bug here, we can inject script tags as well, which could possibly be exploitable and used to steal cookies and therefore circumvent authentication. The resulting HTTP 500 error lets us know that something is wrong with the site, causing a server error. (I have not taken the attack any further, and I would not recommend that you do so either):
In order for this demo to work, you must replace the four ~ with a <>.
We can also find literally hundreds of injection vulnerabilties littered throughout the T-Mobile website. They seemed to have cleansed out all of the obvious injection holes accessible via browser input, but if you use a simple web proxy (I like Paros, we use it in both Ethical Hacking classes at InfoSec), you can find them by the hundreds on just about every dynamic page on the website! Here is one (once again, do not attempt to exploit this):
Based on the affidavit, plus the fact that T-Mobile remains highly vulnerable to all sorts of web input attacks, I would say it is highly likely that Nick used some sort of web application bug to circumvent authentication.
jack (at) infosecinstitute (dot) com