HackerTrans
TopNewTrendsCommentsPastAskShowJobs

caffeinedoom

no profile record

Submissions

You can see T-Mobile's acquisitions by where its logins are hosted

neobotnet.com
4 points·by caffeinedoom·20 дней назад·3 comments

[untitled]

1 points·by caffeinedoom·2 месяца назад·0 comments

Show HN: I built a site that maps the web from a bounty hunter's perspective

neobotnet.com
46 points·by caffeinedoom·4 месяца назад·9 comments

comments

caffeinedoom
·20 дней назад·discuss
fun fact!
caffeinedoom
·20 дней назад·discuss
Neobotnet runs web reconnaissance data for public bug bounty programs. Each week it reads one public bug-bounty program's surface top-down — DNS, HTTP, JS bundles, URL params — and writes up what the architecture gives away.

The T-Mobile scope isn't one company. It's four acquisitions plus an ad arm, and you can read how far each integration actually got purely from where the login pages are hosted:

    t-mobile-bounty-scope/
    │
    ├── t-mobile.com  ← own apps · MERGED (single Entra tenant)
    │   ├── account.t-mobile.com        Entra / Azure AD · edge Akamai
    │   ├── *.docs.t-mobile.com ×24     Entra — MS "Sign in" page
    │   ├── alm · billerdirect ·
    │   │   dealerorder · phys-access    Azure AD App Proxy (msappproxy.net)
    │   └── sts.t-mobile.com            ADFS — legacy fed · on-net, no CDN
    │
    ├── metrobyt-mobile.com  ← MetroPCS · folded into T-Mobile prepaid
    │
    ├── sprint.com  ← Sprint (merged 2020) · NOT merged
    │   ├── idam.sprintdrive.sprint.com OAuth · still issuing, 5 yrs on
    │   ├── autodiscover.sprint.com     Exchange autodiscover · Outlook
    │   └── assurancewireless.com       Lifeline prepaid · via Sprint
    │
    ├── uscellular.com / uscc.com  ← US Cellular (acq. 2024) · NOT merged
    │   ├── login.uscellular.com        SAML /idp/SSO.saml2 · Cloudflare
    │   └── login-sqa.uscellular.com    QA SAML, public · same edge as prod
    │
    └── blis.com + *.audience.com ×7  ← T-Mobile Advertising / Blis
        ├── imply.t-ads.blis.com        Imply login · T-Mobile Ads
        └── imply.publicis.blis.com     Imply login · Publicis agency
T-Mobile's own apps merged onto one Entra tenant; the companies it bought each kept their own IdP on their own edge, still running side by side. Sprint's identity service is still issuing OAuth flows five years after the merger, and autodiscover.sprint.com still answers with an Outlook title.

Worth stating plainly: across all 107,899 indexed URLs there were no creds, no cloud keys, no PII in parameters. Pretty clean infra so far.

There's a verify-it-yourself deep link under every claim in the writeup. Happy to get into the method, or where the detector's still noisy.
caffeinedoom
·21 день назад·discuss
[flagged]
caffeinedoom
·4 месяца назад·discuss
Excellent detective work. I had no idea you can get a Tesla's computer off market. I wonder if these may be the last decade that we may be able to get root access to our on hardware consumer products. Keep the good work up.
caffeinedoom
·4 месяца назад·discuss
thank you :) happy to connect and add more targets. please, reach out to me through X at @caffeinedoom or email at [email protected]
caffeinedoom
·4 месяца назад·discuss
had to pump up the available spots and do some hot fixes on the fronted. my apologies pal. i'm learning idea validation atm.
caffeinedoom
·4 месяца назад·discuss
Great feedback! I have some of these questions myself, which makes me think about where I'd like to take neobotnet. The URL data needs to be more refined and provide actionable insights to security teams and devs so they can take appropriate actions with the data. There's more to explore within this data, such as JS and API reconnaissance as also possible client side issues. I'm looking to gather user feedback to polish the tool. Thanks for the comment.
caffeinedoom
·4 месяца назад·discuss
hey freeplay! I added 5 more spots. Thank you so much for using Neobotnet.