Neobotnet runs web reconnaissance data for public bug bounty programs. Each week it reads one public bug-bounty program's surface top-down — DNS, HTTP, JS bundles, URL params — and writes up what the architecture gives away.
The T-Mobile scope isn't one company. It's four acquisitions plus an ad arm, and you can read how far each integration actually got purely from where the login pages are hosted:
t-mobile-bounty-scope/
│
├── t-mobile.com ← own apps · MERGED (single Entra tenant)
│ ├── account.t-mobile.com Entra / Azure AD · edge Akamai
│ ├── *.docs.t-mobile.com ×24 Entra — MS "Sign in" page
│ ├── alm · billerdirect ·
│ │ dealerorder · phys-access Azure AD App Proxy (msappproxy.net)
│ └── sts.t-mobile.com ADFS — legacy fed · on-net, no CDN
│
├── metrobyt-mobile.com ← MetroPCS · folded into T-Mobile prepaid
│
├── sprint.com ← Sprint (merged 2020) · NOT merged
│ ├── idam.sprintdrive.sprint.com OAuth · still issuing, 5 yrs on
│ ├── autodiscover.sprint.com Exchange autodiscover · Outlook
│ └── assurancewireless.com Lifeline prepaid · via Sprint
│
├── uscellular.com / uscc.com ← US Cellular (acq. 2024) · NOT merged
│ ├── login.uscellular.com SAML /idp/SSO.saml2 · Cloudflare
│ └── login-sqa.uscellular.com QA SAML, public · same edge as prod
│
└── blis.com + *.audience.com ×7 ← T-Mobile Advertising / Blis
├── imply.t-ads.blis.com Imply login · T-Mobile Ads
└── imply.publicis.blis.com Imply login · Publicis agency
T-Mobile's own apps merged onto one Entra tenant; the companies it bought each kept their own IdP on their own edge, still running side by side. Sprint's identity service is still issuing OAuth flows five years after the merger, and autodiscover.sprint.com still answers with an Outlook title.
Worth stating plainly: across all 107,899 indexed URLs there were no creds, no cloud keys, no PII in parameters. Pretty clean infra so far.
There's a verify-it-yourself deep link under every claim in the writeup. Happy to get into the method, or where the detector's still noisy.
The T-Mobile scope isn't one company. It's four acquisitions plus an ad arm, and you can read how far each integration actually got purely from where the login pages are hosted:
T-Mobile's own apps merged onto one Entra tenant; the companies it bought each kept their own IdP on their own edge, still running side by side. Sprint's identity service is still issuing OAuth flows five years after the merger, and autodiscover.sprint.com still answers with an Outlook title.Worth stating plainly: across all 107,899 indexed URLs there were no creds, no cloud keys, no PII in parameters. Pretty clean infra so far.
There's a verify-it-yourself deep link under every claim in the writeup. Happy to get into the method, or where the detector's still noisy.