HackerTrans
TopNewTrendsCommentsPastAskShowJobs

caffeinedoom

no profile record

Submissions

You can see T-Mobile's acquisitions by where its logins are hosted

neobotnet.com
4 points·by caffeinedoom·20 ngày trước·3 comments

[untitled]

1 points·by caffeinedoom·2 tháng trước·0 comments

Show HN: I built a site that maps the web from a bounty hunter's perspective

neobotnet.com
46 points·by caffeinedoom·4 tháng trước·9 comments

comments

caffeinedoom
·20 ngày trước·discuss
fun fact!
caffeinedoom
·20 ngày trước·discuss
Neobotnet runs web reconnaissance data for public bug bounty programs. Each week it reads one public bug-bounty program's surface top-down — DNS, HTTP, JS bundles, URL params — and writes up what the architecture gives away.

The T-Mobile scope isn't one company. It's four acquisitions plus an ad arm, and you can read how far each integration actually got purely from where the login pages are hosted:

    t-mobile-bounty-scope/
    │
    ├── t-mobile.com  ← own apps · MERGED (single Entra tenant)
    │   ├── account.t-mobile.com        Entra / Azure AD · edge Akamai
    │   ├── *.docs.t-mobile.com ×24     Entra — MS "Sign in" page
    │   ├── alm · billerdirect ·
    │   │   dealerorder · phys-access    Azure AD App Proxy (msappproxy.net)
    │   └── sts.t-mobile.com            ADFS — legacy fed · on-net, no CDN
    │
    ├── metrobyt-mobile.com  ← MetroPCS · folded into T-Mobile prepaid
    │
    ├── sprint.com  ← Sprint (merged 2020) · NOT merged
    │   ├── idam.sprintdrive.sprint.com OAuth · still issuing, 5 yrs on
    │   ├── autodiscover.sprint.com     Exchange autodiscover · Outlook
    │   └── assurancewireless.com       Lifeline prepaid · via Sprint
    │
    ├── uscellular.com / uscc.com  ← US Cellular (acq. 2024) · NOT merged
    │   ├── login.uscellular.com        SAML /idp/SSO.saml2 · Cloudflare
    │   └── login-sqa.uscellular.com    QA SAML, public · same edge as prod
    │
    └── blis.com + *.audience.com ×7  ← T-Mobile Advertising / Blis
        ├── imply.t-ads.blis.com        Imply login · T-Mobile Ads
        └── imply.publicis.blis.com     Imply login · Publicis agency
T-Mobile's own apps merged onto one Entra tenant; the companies it bought each kept their own IdP on their own edge, still running side by side. Sprint's identity service is still issuing OAuth flows five years after the merger, and autodiscover.sprint.com still answers with an Outlook title.

Worth stating plainly: across all 107,899 indexed URLs there were no creds, no cloud keys, no PII in parameters. Pretty clean infra so far.

There's a verify-it-yourself deep link under every claim in the writeup. Happy to get into the method, or where the detector's still noisy.
caffeinedoom
·21 ngày trước·discuss
[flagged]
caffeinedoom
·4 tháng trước·discuss
Excellent detective work. I had no idea you can get a Tesla's computer off market. I wonder if these may be the last decade that we may be able to get root access to our on hardware consumer products. Keep the good work up.
caffeinedoom
·4 tháng trước·discuss
thank you :) happy to connect and add more targets. please, reach out to me through X at @caffeinedoom or email at [email protected]
caffeinedoom
·4 tháng trước·discuss
had to pump up the available spots and do some hot fixes on the fronted. my apologies pal. i'm learning idea validation atm.
caffeinedoom
·4 tháng trước·discuss
Great feedback! I have some of these questions myself, which makes me think about where I'd like to take neobotnet. The URL data needs to be more refined and provide actionable insights to security teams and devs so they can take appropriate actions with the data. There's more to explore within this data, such as JS and API reconnaissance as also possible client side issues. I'm looking to gather user feedback to polish the tool. Thanks for the comment.
caffeinedoom
·4 tháng trước·discuss
hey freeplay! I added 5 more spots. Thank you so much for using Neobotnet.