Bad O2! 24th January 2012 Fixed!
Good job social media :) All seems to be fixed: O2's statement. I'll leave the below page in place, but everything below this line can be considered out of date. You should no longer be able to see your number listed here. O2 send your phone number to every site you visit using their mobile data network? This page is a simple little script which prints out all the information I receive about you when you visit. If you're on O2's UK mobile network (not ADSL), you'll (probably) see a line beginning with x-up-calling-line-id - followed by your mobile phone number in plain text. To see it in action, remember to disable wifi on your device, and don't use a proxying browser like opera mini. Headers received: Host: lew.ioUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Forwarded-Proto: http.
O2 accused of passing customers' phone numbers to web sites. Does your mum now have my O2 phone number? « Tim Dobson. Today we found out that O2 had screwed up their mobile internet proxy settings quite epically and had sent customer phone numbers to millions of websites, worldwide, as a matter of process, presumably by accident.
We already know this from the fantastic investigative works of O2 customer and twitter user Lew Peckover, a 28 year old web systems administrator working in the field for 10 years. Now let me explain what’s going on from a technical view. Mobile operators skimp on deploying proper internet infrastructure and frequently implement various nasty tricks for a variety of reasons. Things like downscaling images, inserting javascript into HTML pages with DPI, arbitrarily blocking websites and ports and NAT are frequently seen used by mobile internet providers, including O2.
To be able to downscale images, insert things into HTML pages etc. Lew created a website to let people see this in action; let’s look at an example: So the big questions I can imagine people are asking now: Oh yes. Ruskin147: Breaking off from the @O2... Bad O2! Open Digital Policy Blog: O2 sends you phone number to every website you visit, should you be bothered? In a word, yes; I very much think this matters.
Why? Because at the very least it allows any website operator to capture your telephone number and potentially use it to send you spam texts or marketing calls. UPDATE 25-Jan 13:29: Twitter user @alanbell_libsol reports the problem as fixed and I can confirm it's fixed for me too. The problem We have confirmed that UK mobile phone network O2 sends your mobile phone number to each website you visit.
The O2 problem was reportedly spotted by @lewispeckover and has been a known issue in the security industry for 2 years, see Collin Mulliner's 2010 CanSecWest talk. We know the issue also affects at least one operator using the O2 network, GiffGaff. We have also confirmed the phone number is sent even if you connect your computer or tablet to the internet via your phone, ie tethering. Personal data? What can someone do with your mobile phone number? Maybe you trust Google or Facebook.
In my personal opinion this is a very serious issue. Related issues. O2 shares your mobile phone number with every website you visit. If you're reading this news article using your O2 mobile phone, you'll be pleased to know that O2 have already sent us your mobile phone number within the HTTP headers which normally contain information about how content can be displayed on your device.
These headers are not normally seen by users, and usually not logged by most websites, but the flaw allows malicious sites to get more personal information about you than you may be willing to share. For example, if you open an e-mail which includes references to external images, the mere action of opening the e-mail would divulge your phone number. This could be used by anyone undertaking a phishing attack or other scam to get more information from you. The opportunity to abuse this is potentially endless. This issue was uncovered by @lewispeckover and has been confirmed by thinkbroadband as being correct, although by the time we took this photo, the issue seems to have stopped affecting the phone we tested: