O2 UK is dishing out its customers' mobile numbers like free sweeties to every website they visit over a 3G connection. The info leak was highlighted yesterday by O2 customer Lewis Peckover, who set up a little web tool that displays all the HTTP header information sent to sites by connecting web browsers. These strings of data …
This means El Reg, the BBC, Wikipedia, Chix with Dix and Yahoo Search have my number. It's a perfect cluster f*ck of embarassment... I mean, come on, who would own up to using Yahoo search these days??
They won't, unless some very control-freakish web admin has set the logs to record every HTTP header received, which would mean some amazingly big log files, and - on IIS at least - require some extra tweaking.
Easy to extract number and discard dross, big logs really are not required...
> unless some very control-freakish web admin has set the logs to record every HTTP header received,
Google probably do. They have the resources to record and store everything in the headers.
Actually I think I know
O2 have a mobile formatted My o2 site which would only work if you used your mobile data as opposed to home broadband to view it (unless you registered your home connection with them)
This appears to have stopped working now... and the header seems to have gone..
Could be interesting fudging someone elses phone number into the header and accessing that site as there was no authentication, Im betting you could view their bills, tarriff info and call history - ill certinally give this a shot when I get home tonight and attempt to get my partners data to display via my phone...
Why would o2 do this?
> Why would o2 do this?
All part of the Web 3.0 strategy, now websites can easily call you back. Imagine how easy your life will now be. Incidentally O2 get paid termination fees for those calls.
When HTML6 comes around you'll be able to call websites too, thereby making web browsers redundant as we move over to the Voice Web - until someone invents a modem that goes over that, completing the traditional IT cycle.
Somebody probably got sloppy configuring the proxy server(s)
"All our testing happens on the live server"
It's clearly deliberate. The header is named for what it contains- it's not just stuck somewhere random.
looks like the crooks spotted this last year
That would explain the bunch of text spam that started over xmas, the 1st time I used 3G data for quite some time and the crap started a few days in. Really must visit less dodgy sites I suppose ;)
There were a lot of premium text spam scams being reported on giffgaff late last year. I'm ready to believe this is actively being used by sms spammers.
Funny you say that!
I finally shifted my O2 account to a fully 3G enabled jobbie with a new phone last November and since them I now get dodgy annoymous, I assume spam texts, coming to my phone now at the rate of at least 2 a week which never happened before I upgraded!
The good news is: if you start getting premium SMS (as happened to some users recently) you have a big stick to hit O2 with. Hiding behind 'you must of have signed up to it, talk to PhonePayPlus' is not a viable escape clause for them any longer.
It's about time the networks were forced to hand control of reverse charges to customers and provide compulsory free barring support, the current system is an invitation to abuse. On O2 I can bar premium shortcodes but only combined with barring international calls, they really don't want to do it and will do what it takes to discourage users.
So they intercept the HTTP requests (replies?) and add (substract) their own stuff (headers at least)? (If so one wonders to what end and with what excuse.)
Mostly they compress images so they are almost unrecognisable. Also makes it faster and use less bandwidth.
My work BlackBerry is on O2 and it shows my number appearing in the header.
Still waiting for my first personal injury claim spam text though.
Lazy, lazy O2.
Lazy O2? I'd say the opposite - you have to go to some effort to create such a balls-up. I find it hard to believe it was an accident.
I bet the excuse will be accident or a 'rogue administrator' though.
Not really new though...
is it. This has been going on for years, since at least 2007.
Nice paper (pdf link)
with a bit more info.
Also a list of headers found to be used
Indeed - and O2 used to make all of this available, at least between 2001 and maybe 2005, when much more work was done by the WAP gateway. Very useful it was too, at least from a site admin's point of view. For a long time X-UP-SUBNO gave you some unique link to the SIM, and for brief periods the actual number was available too.
O2 Server Specific
Disconnecting and reconnecting to O2 (e.g. by toggling flight mode) until Lewis' page stops showing your effing number works in the mean time. That is until O2 fix this clusterf*ck.
This is terrible.
Does this affect carriers that sit on O2's infrastructure? I want to be able to mock my Tesco Mobile-touting cheapskate friend...
Yes it does.
My Tesco iphone doesn't appear to show the number
I'm on GiffGaff and it doesn't include the header for me...
Not aware I've used any unusual settings, so unless O2 have fixed it since the article was published, it doesn't affect everyone.
If an O2, GiffGaff, or Tesco users visits wap.o2.co.uk from a 3G network, they will be automatically logged into their account, and be able to see billing details, etc.
If looks to me that O2 are using a combination of the 'x-up-calling-line-id' and the incoming user IP to authenticate users into their accounts on the wap.o2.co.uk website.
This works for standard contracts, I have no idea whether PAYG or iPhone users can use the bypass username and still get a data connection.
Supposedly gives you a speed boost, no idea if that's true but anything that simplifies the service and cuts down on the crap O2 grab as you come through, has got to be a bonus!
Just tried this
from my Giffgaff connection and makes no difference.
'bypass' doesn't work
On contract here - just tried 'bypass' as the APN, doesn't work. I just get 'Could not activate celluar data network - you are not subscribed to a cellular data service'.
still leaks the number on the Tesco network using 'bypass' username
Not so sure
I tried that and it worked... some times. After forcing a reconnect my number started showing up again though. Reverting to defaults produced exact same results i.e. some times I'd report my number and, after reconnecting to O2, others times not.
So I'd keep an eye on whether going the above works consistently for you - just because it was working doesn't mean your phones not had to reconnect behind the scenes (e.g. loss of signal) and O2 are giving world+dog your mobile number once again.
Or just delete the proxy name and port from the Access point settings, which seems to enable you to reach https servers that dont have a signed certificate anyway
This doesn't work...
Am on contract and reset phone after setting APN login to bypass.
Same here on my iPhone 4. Bypass username does allow me to get a connection but my phone number is still viewable.
Nice one - this has stopped my mobile number appearing in the http headers and internet access is now unbelievably quicker.
I'm on a Simplicity 30-day rolling contract, also had to change the APN from 'wap.o2.co.uk' (as advised by O2) to 'mobile.o2.co.uk' as well as setting Username to 'bypass'
O2 want you to pay £1 for the privilege of viewing any sites they deem unsuitable across their mobile network. Even if you've been a customer for 5+ years and you're blatently old enough.
I've found that phoning up and shouting at them is quite effective in this situation.
Especially mentioning that you're the contract holder and by law you have to be over 18 to sign a contract with them seems to be the kicker...
O2 put that ridiculous age barring on my phone 4 times before I left.
Overcharging me is one thing, but keeping a guy from his mobile grot is just a step too far!
My account not doing it with safari
not just O2 ?
Last year, walking through a wood, I saw a sign for some paintball company, and I looked them up on my HTC/Vodafone phone (though NB I *hate* paintball with a passion), and a couple of weeks later I start getting texts from them. Am at a loss to understand why/how - proximity? Web headers?
Also applies to GiffGaff (just tested it at http://lew.io/headers.php)
APN Change as temporaty workaround
Changing your APN settings to the below seems to take a different route through the operator network (or just applies different policies on the gateway) and prevents the header being appended;
In other news, i'm suddently quite glad I moved to voda.
Won't someone think of the children?
I started getting these "FreeMsg" spam texts last summer, after I moved from an iphone to a SGS2. I blamed Google, but it turns out they're not the guilty party.
Now if O2 are just handing out mobile numbers to every dodgy "enhancement" merchant or smut site, can they be done for exposing minors to inappropriate/obscene/illegal content? How are parents (rather than the government) supposed to protect their children if companies can just give this data away without consent?
You can take the mobile service out of BT, but you can't take the BT out of the mobile service.
(BT, synonymous with fail since 1984)
How is this any worse than 3 and Vodafone sharing all your browsing habits with a US company that just happens to be subject to the PATRIOT act amongst other things, and all done often without the knowledge let alone consent of the customer (victim)?
If you were truly evil...
You could perhaps (and I'm not suggesting that anyone would want to do this).
Change your headers so that you had someone's phone number that you didn't like visit several websites that were less than trustworthy.
As I say I wouldn't recommend doing this but it wouldn't be difficult.
You could, but not via the O2 network - the proxy would strip it out, or replace it. If you did it from outside the O2 network, the IP addresses wouldn't match and it would be obvious it was done manually.
Not only 3g, edge & gprs to ;(
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Leaked pics show EMBIGGENED iPhone 6 screen
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs