Phone number exposed via HTTP headers

Update: O2 says that as of 1400 GMT today it has fixed, the problem, and that "technical changes" as part of "routine maintenance" were to blame for the issue, which affected customers from Jan. 10 until today. The network's full statement is available on its official blog.

Original story: If you're browsing the web on your phone or tablet on O2 UK, then the network could be exposing your phone number to every website you visit. O2 customer Lewis Peckover recently discovered that when you're browsing over 3G on O2, your handset's phone number is often included in the HTTP headers sent to each website you visit, in plain text.

HTTP headers are information exchanged between your browser and the web server before a page is loaded. In theory, the way O2 includes your phone number -- alongside more mundane information like your IP address, browser and OS -- means that any website you visit could easily find out your number. It's worth pointing out that the header used by O2 to send phone numbers -- "x-up-calling-line-id" -- isn't one that's routinely logged by web servers. However, just a couple of lines of code would allow a malicious server to find your phone number just by having you visit a website over 3G.

Lewis Peckover has set up a site to allow O2 customers to see whether they're affected. We've tried this with an O2 SIM in our Galaxy Nexus, and sure enough, there our phone number was in the list of "headers received". If you're on O2, make sure you've got Wifi disabled on your device, then click here and see if you spot your phone number among the HTTP headers. For what it's worth, early reports indicate that not all O2 customers are affected, though a large proportion apparently are.

This isn't an Android-specific problem, however due to the fact that it's a network-level issue, it'll affect Android phones just the same as any other device that's browsing over O2's data network. For this reason, just about anything that connects via HTTP over O2's network could potentially access this information. For its part, O2 says it's "investigating" the issue, and while this is a big deal for O2 customers, the fact that this is a network-level problem should mean that a fix will be relatively quick and easy to deploy.

More: Lew.io; via: ThinkBroadband

 
There is 1 comment

mjmdroid says:

Bad , i hope their customers will sue them to court for the damage they are causing to them............