company of the week: t-mobile

Most people picture T-Mobile as a phone carrier. From the outside, the scope looks like something else: a network assembled from rivals it bought — Sprint, MetroPCS, and US Cellular — with their prepaid brands and an advertising business folded in. The single most revealing thing it leaves in public isn't a product page or a press release. It's a login page — and read across the whole estate, the login pages answer a question the press releases don't: which of these acquisitions actually became one company.

T-Mobile runs a public bug bounty on Bugcrowd, which puts its public web surface in scope for outside research. neobotnet mapped that surface — explore the full index in /urls.

what's reachable

The scope is not one company. It is seventeen root domains that trace four acquisitions and an ad-tech arm:

t-mobile.com / metrobyt-mobile.com   the carrier + Metro prepaid
sprint.com                           Sprint (merged 2020, domain still live)
uscc.com / uscc.net / uscellular.com US Cellular (acquired 2024)
assurancewireless.com                Lifeline prepaid (arrived via Sprint)
blis.com + *audience.com (×7)        T-Mobile Advertising / Blis

The legacy carriers account for most of the names. t-mobile.com carries 4,547 discovered hostnames, and uscc.com and uscc.net add another 4,949 between them. uscc.net, though, serves no live web pages at all — thousands of its names resolve in DNS but return nothing over HTTP. A large pool of resolving-but-silent hostnames is common in the years after an acquisition: while two networks are being combined, a lot of inherited infrastructure keeps its DNS entry without yet serving a public website.

The same shape holds across the whole estate. Of everything in scope:

• 10,185 hostnames resolve in DNS.
• 780 of those answer an HTTP request at all.
• 248 return an HTTP 200.
• 166 serve a page with a real title.

That leaves roughly 98% of the resolving names as infrastructure rather than public web pages.

The DNS records also show how that infrastructure is hosted. A host's CNAME target — the canonical name it points to — names its provider directly: more than 1,900 hostnames resolve through Akamai, several hundred more through Microsoft Azure, and 445 through AWS. The SaaS layer is just as visible: ServiceNow, Salesforce and Pardot, Adobe Experience Manager, Zendesk, Imperva, and LotusFlare (a digital-commerce platform built for telecom operators).

That is a map of T-Mobile's vendor stack, drawn entirely from public DNS — before a single one of those servers is probed.

the login pages

Here is why the login pages matter more than almost anything else on a surface this size. A company can keep a database, an admin panel, or an internal dashboard private — behind a VPN, off public DNS, reachable only from inside the network. It could do the same with its login pages, and it chooses not to: a login page exists to let employees, partners, and dealers sign in from anywhere, so it gets published on purpose even though everything behind it stays gated. Each one is a deliberately-public doorway into an internal tool or dashboard — and in an estate where 98% of hosts serve nothing public, those doorways are most of what's left to read. What they give away isn't the contents behind them. It's the structure: which tools exist, who runs them, and which company each one came from.

And T-Mobile's login pages read like an acquisition timeline, because each company it absorbed kept its own way of logging people in — on its own infrastructure, with its own identity vendor. They are still running side by side.

• T-Mobile's own apps live on Microsoft Entra (Azure AD). The consumer login at account.t-mobile.com sits behind Akamai; a whole family of internal line-of-business apps — alm.internal, billerdirect, dealerorder, commercial-reporting, physicalaccess-idv — is published to the internet through Azure AD Application Proxy (every one CNAME'd to *.msappproxy.net, all under a single Entra tenant). Two dozen more hosts under *.docs.t-mobile.com all return the same Microsoft "Sign in to your account" screen. This is the consolidated, modern half of the estate.
• An older T-Mobile system is still up underneath it. sts.t-mobile.com runs Microsoft ADFS — the previous generation of federation — and it's served from T-Mobile's own network rather than a CDN. The new identity stack didn't replace the old one; it was layered on top of it.
• US Cellular brought its own identity provider, and it never moved. login.uscellular.com is a separate SAML system (/idp/SSO.saml2) running on Cloudflare — a completely different edge from T-Mobile's Akamai. Its QA environment, login-sqa.uscellular.com, is publicly reachable too, sharing the same Cloudflare addresses as production.
• Sprint's identity service outlived the Sprint brand. Five years after the merger, idam.sprintdrive.sprint.com is still issuing OAuth flows on the Sprint domain.

Four identity systems, four acquisitions, four different pieces of infrastructure. You can read how far the integration has actually gotten just by looking at where the login pages are hosted — and the answer is "T-Mobile's own apps are merged; the companies it bought are not."

reading the login urls

Login pages don't only tell you which system you've hit. The parameters in their URLs tell a researcher how the system is wired, and that is where exposure starts to show. neobotnet indexed 107,899 URLs here; the most informative ones are sign-in traffic. (For each view below, the deep link opens the live filtered result in /urls.)

The federation handshakes are visible. SAMLRequest appears on 357 URLs and RelayState on 350, clustered on the two SAML systems above — T-Mobile's ADFS and US Cellular's IdP. Each one is a single sign-on request captured mid-flight.

see the SAML sign-on URLs →

The login pages name the internal SaaS catalog. US Cellular's IdP carries a PartnerSpId value — the identifier of whichever partner application you're signing in to. Read across 205 URLs, those identifiers enumerate the company's federated vendors with no access required: Sisense (business intelligence), Gloat (an internal talent marketplace), LogicGate (governance and risk — its SAML alias uscc exposed in the URL), several Zendesk support tenants, and a Citrix NetScaler gateway. The login flow is, in effect, a published directory of the tools behind it.

see the partner identifiers →

The modern flows are OAuth2. client_id, redirect_uri, response_type, and scope travel together across account.t-mobile.com, US Cellular's connecthq, and Sprint's surviving idam. The redirect_uri parameter is the one a researcher always reads first: it controls where a successful login sends the user, and a sign-in flow that accepts the wrong value is the classic open-redirect-into-account-takeover pattern. neobotnet flags the parameter; confirming whether any endpoint validates it loosely is the researcher's job.

see the OAuth redirect URLs →

An external URL in a parameter usually isn't a redirect. neobotnet flagged 345 URLs carrying an external address in a parameter — the shape that can resemble an open-redirect candidate. Read them, though, and most are SAML plumbing: the SigAlg XML-signature namespace inside sign-on requests, and RelayState values pointing back to US Cellular's own Zendesk tenants. The signal surfaces the shape; the values show federation, not a redirect bug.

see the external-URL signals →

One thing is worth stating plainly: across all 107,899 URLs, neobotnet found no cloud keys, no credentials, and no email addresses or phone numbers exposed in parameters. For a surface this large, that is genuinely clean URL hygiene.

what else is worth a look

• Sprint, five years later. autodiscover.sprint.com still answers with an Outlook title — Exchange autodiscover responding on a merged-away domain. Most of sprint.com now redirects to T-Mobile content, but the mail and identity plumbing underneath outlived the brand.
• The advertising arm runs on Imply. Across blis.com and the seven *audience.com domains, a fleet of imply.* hosts all read Login to Imply — a commercial analytics database. Two name the business relationship outright: imply.t-ads.blis.com (T-Mobile Advertising) and imply.publicis.blis.com (the Publicis ad agency).
• Non-production, publicly resolvable. login-sqa.uscellular.com, accountstg.docs.t-mobile.com, connecthq-stg1/-stg2.uscellular.com, prepaid-uat.uscellular.com, and ppd.account.t-mobile.com — QA, staging, UAT, and pre-prod environments, several of them auth hosts, all reachable from the open internet. Whether they're meant to be is the operator's call.

next week

neobotnet runs the same pass on a different in-scope program every week. Subscribe via RSS or browse the company of the week archive.