UK mobile network and BT spin-off O2 has been left red-faced after a security researcher spotted it sharing users mobile phone numbers with every website they visited.
Playing with code for monitoring the HTTP headers from various devices, O2 customer and security researcher Lewis Peckover
spotted something odd: an x-up-calling-line-id
header, which contained his entire mobile phone number in plain text.
Further research indicated that the code wasn't being generated on the client side: any mobile device connected to O2's network, whether an Android tablet, an iOS device or a BlackBerry smartphone, would happily send its user's contact details to any website that knew to monitor for the header.
Rather, the headers were being generated by a device on O2's network that proxied the traffic before it hit the network: disable the device's mobile data connection and use Wi-Fi instead, and the strange header disappears.
The problem appears related to a similar issue spotted by researcher Collin Mulliner back in 2010 and presented at the Security in Telecommunications Conference (PDF
), and affects O2 and network-sharing operators including GiffGaff and Tesco Mobile.
In a statement regarding the matter, O2 blamed 'technical changes we implemented as part of routine maintenance [which] had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.
Although O2 claims that the flaw has now been fixed as of 1400 yesterday, there's a caveat: the company will still share your mobile number with 'selected trusted partners
Those partners, O2 explains, include sites that require age verification - including adult entertainment sites - and those who look to bill O2 customers for premium services such as content downloads or ring tones. In other words: if you're browsing porn on your O2 phone over a mobile connection, you should be aware that the site operator has your mobile number.
The Information Commissioner's Office (ICO) has indicated that it will be investigating the matter, while advising privacy activists that a mobile number in and of itself does not constitute 'personally identifiable information' under the Data Protection Act. O2 has promised to cooperate with ICO's investigation.
Are you disappointed in O2's decision to continue sharing customers' mobile numbers with 'trusted partners,' or more worried that ICO doesn't consider such information to be covered under the DPA? Share your thoughts over in the forums