T-Mobile USA leaked free access to sites with '/speedtest' in the URL

High school slacker hacker gets LTE for free


American T-Mobile subscribers can score free internet access by running traffic through a proxy with "speedtest" in its URL.

Seventeen-year-old high school student Jacob Ajit found the loophole , since taken down, which allowed cheapskates to access T-Mobile's data network without paying.

Ajit realised speed testing sites and those with the feature embedded could be accessed using a T-Mobile SIM that had no data credit.

He then set up a proxy on a remote server placing "/speedtest" in the URL and could then access all areas of the network.

Ajit said he reported the flaw to T-Mobile and published his hack without waiting for a fix since exploitation of the hole did not put customers at risk.

"I made a decision to go ahead and publish this in the meantime since this unintentional flaw does not pose any harm to T-Mobile or their customers," Ajit says.

"It’s a trivial fix to whitelist speedtest servers based on their official host list, as I point out in this post, and the educational benefits of sharing my findings with the community in this case outweighed the case for waiting for a possible response from T-Mobile."

T-Mobile has not commented on the flaw.

Ajit said he made the decision while bored on a Friday night, trying random apps to see which would load on his credit-depleted account. ®


Biting the hand that feeds IT © 1998–2021