bit-tech.net

O2 caught sending mobile numbers to websites

O2 caught sending mobile numbers to websites

O2 has been caught out sending customers' mobile numbers to third-party websites, following an apparent configuration error.

UK mobile network and BT spin-off O2 has been left red-faced after a security researcher spotted it sharing users mobile phone numbers with every website they visited.

Playing with code for monitoring the HTTP headers from various devices, O2 customer and security researcher Lewis Peckover spotted something odd: an x-up-calling-line-id header, which contained his entire mobile phone number in plain text.

Further research indicated that the code wasn't being generated on the client side: any mobile device connected to O2's network, whether an Android tablet, an iOS device or a BlackBerry smartphone, would happily send its user's contact details to any website that knew to monitor for the header.

Rather, the headers were being generated by a device on O2's network that proxied the traffic before it hit the network: disable the device's mobile data connection and use Wi-Fi instead, and the strange header disappears.

The problem appears related to a similar issue spotted by researcher Collin Mulliner back in 2010 and presented at the Security in Telecommunications Conference (PDF), and affects O2 and network-sharing operators including GiffGaff and Tesco Mobile.

In a statement regarding the matter, O2 blamed 'technical changes we implemented as part of routine maintenance [which] had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.'

Although O2 claims that the flaw has now been fixed as of 1400 yesterday, there's a caveat: the company will still share your mobile number with 'selected trusted partners.'

Those partners, O2 explains, include sites that require age verification - including adult entertainment sites - and those who look to bill O2 customers for premium services such as content downloads or ring tones. In other words: if you're browsing porn on your O2 phone over a mobile connection, you should be aware that the site operator has your mobile number.

The Information Commissioner's Office (ICO) has indicated that it will be investigating the matter, while advising privacy activists that a mobile number in and of itself does not constitute 'personally identifiable information' under the Data Protection Act. O2 has promised to cooperate with ICO's investigation.

Are you disappointed in O2's decision to continue sharing customers' mobile numbers with 'trusted partners,' or more worried that ICO doesn't consider such information to be covered under the DPA? Share your thoughts over in the forums.

10 Comments

Discuss in the forums Reply
Glix 26th January 2012, 14:23 Quote
Surely it should be considered personally identifiable information? It's just as direct as an email address.
Krikkit 26th January 2012, 14:29 Quote
Fixed as of 14:00 yesterday. :)
Gareth Halfacree 26th January 2012, 14:56 Quote
Quote:
Originally Posted by Krikkit
Fixed as of 14:00 yesterday. :)
As it says in the article - and if you read on, you'll see that O2 will *continue* to send your mobile number to "trusted partners," including porn sites.
debs3759 26th January 2012, 15:29 Quote
I'm glad I'm not an O2 customer (or one of the other affected networks).

When I get phone calls from people/companies who I have not explicitly given my number to with permission to contact me, I always demand to speak to whoever is in charge and demand that I be removed from their database, after asking where they got the number from. I haven't yet taken legal steps against anyone, but am not against doing so when my contact details are given out willy nilly by some unauthorised ****. I value my privacy more than I value having a cheap phone contract :)

Of course, for this issue there is a work-round. If you want to (for example) download porn anonymously, just go request a new (free) SIM, and use that when accessing that sort of site :)
Dan_O2 26th January 2012, 17:22 Quote
Hi there, we now have a blog that will provide all the info you need. You can also ask any further questions you have on the blog: http://j.mp/MPNblog

Thanks
Dan - O2 Social Media Team
Krikkit 27th January 2012, 08:48 Quote
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by Krikkit
Fixed as of 14:00 yesterday. :)
As it says in the article - and if you read on, you'll see that O2 will *continue* to send your mobile number to "trusted partners," including porn sites.

Haha, skimreading fail! What a bunch of knobbers. Totally unneeded.
Snips 27th January 2012, 09:46 Quote
Does that mean the Girl I'm watching gettin hammered now knows my phone number? Cool!
Fizzban 27th January 2012, 11:39 Quote
Quote:
Originally Posted by Dan_O2
Hi there, we now have a blog that will provide all the info you need. You can also ask any further questions you have on the blog: http://j.mp/MPNblog

Thanks
Dan - O2 Social Media Team

Cheers. That answered my question/s.
leexgx 28th January 2012, 11:24 Quote
just use Opera mini with image set to med or low as all data gets routed via Opera Turbo servers completely (if image is set to high opera turbo is disabled so it downloads directly from he site) bypasses the over 18 lock, it may also prevent phone number data sharing as only Opera servers would see it

I use giffgaff that in turn uses O2 there proxy servers do have issues with (pages Stop mid way when loading) also all the phones get NAT ip's, where you get an real one on Orange and i think t-mobile (not really checked)
SighMoan 31st January 2012, 10:55 Quote
Quote:
Originally Posted by Dan_O2
Hi there, we now have a blog that will provide all the info you need. You can also ask any further questions you have on the blog: http://j.mp/MPNblog

Thanks
Dan - O2 Social Media Team

I like this bit: "This is standard industry practice." Is it? Can anyone confirm or deny this, as i was under the impression that o2 was the only one doing it...
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums