T-Mobile USA leaked free access to sites with '/speedtest' in the URL
High school slacker hacker gets LTE for free
American T-Mobile subscribers can score free internet access by running traffic through a proxy with "speedtest" in its URL.
Seventeen-year-old high school student Jacob Ajit found the loophole , since taken down, which allowed cheapskates to access T-Mobile's data network without paying.
Ajit realised speed testing sites and those with the feature embedded could be accessed using a T-Mobile SIM that had no data credit.
He then set up a proxy on a remote server placing "/speedtest" in the URL and could then access all areas of the network.
Ajit said he reported the flaw to T-Mobile and published his hack without waiting for a fix since exploitation of the hole did not put customers at risk.
"I made a decision to go ahead and publish this in the meantime since this unintentional flaw does not pose any harm to T-Mobile or their customers," Ajit says.
"It’s a trivial fix to whitelist speedtest servers based on their official host list, as I point out in this post, and the educational benefits of sharing my findings with the community in this case outweighed the case for waiting for a possible response from T-Mobile."
T-Mobile has not commented on the flaw.
Ajit said he made the decision while bored on a Friday night, trying random apps to see which would load on his credit-depleted account. ®
- Bharti Airtel
- Black Hat
- China Unicom
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust