Feeds

back to article O2 leaks 3G users' mobile numbers to every website visited

O2 UK is dishing out its customers' mobile numbers like free sweeties to every website they visit over a 3G connection. The info leak was highlighted yesterday by O2 customer Lewis Peckover, who set up a little web tool that displays all the HTTP header information sent to sites by connecting web browsers. These strings of data …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Oh SH*T!!!.

This means El Reg, the BBC, Wikipedia, Chix with Dix and Yahoo Search have my number. It's a perfect cluster f*ck of embarassment... I mean, come on, who would own up to using Yahoo search these days??

14
0
Meh

Escept...

They won't, unless some very control-freakish web admin has set the logs to record every HTTP header received, which would mean some amazingly big log files, and - on IIS at least - require some extra tweaking.

2
0
Anonymous Coward

parser

Easy to extract number and discard dross, big logs really are not required...

3
0
Anonymous Coward

> unless some very control-freakish web admin has set the logs to record every HTTP header received,

Google probably do. They have the resources to record and store everything in the headers.

1
0

Actually I think I know

O2 have a mobile formatted My o2 site which would only work if you used your mobile data as opposed to home broadband to view it (unless you registered your home connection with them)

This appears to have stopped working now... and the header seems to have gone..

Could be interesting fudging someone elses phone number into the header and accessing that site as there was no authentication, Im betting you could view their bills, tarriff info and call history - ill certinally give this a shot when I get home tonight and attempt to get my partners data to display via my phone...

2
0

Why would o2 do this?

0
0
Anonymous Coward

> Why would o2 do this?

All part of the Web 3.0 strategy, now websites can easily call you back. Imagine how easy your life will now be. Incidentally O2 get paid termination fees for those calls.

When HTML6 comes around you'll be able to call websites too, thereby making web browsers redundant as we move over to the Voice Web - until someone invents a modem that goes over that, completing the traditional IT cycle.

4
0
Silver badge

Somebody probably got sloppy configuring the proxy server(s)

1
0
Facepalm

"All our testing happens on the live server"

Developer stupidity

2
0
Anonymous Coward

Sloppy?

It's clearly deliberate. The header is named for what it contains- it's not just stuck somewhere random.

0
0
Silver badge

looks like the crooks spotted this last year

That would explain the bunch of text spam that started over xmas, the 1st time I used 3G data for quite some time and the crap started a few days in. Really must visit less dodgy sites I suppose ;)

There were a lot of premium text spam scams being reported on giffgaff late last year. I'm ready to believe this is actively being used by sms spammers.

6
0
Anonymous Coward

Funny you say that!

I finally shifted my O2 account to a fully 3G enabled jobbie with a new phone last November and since them I now get dodgy annoymous, I assume spam texts, coming to my phone now at the rate of at least 2 a week which never happened before I upgraded!

0
0
Silver badge

The good news is: if you start getting premium SMS (as happened to some users recently) you have a big stick to hit O2 with. Hiding behind 'you must of have signed up to it, talk to PhonePayPlus' is not a viable escape clause for them any longer.

It's about time the networks were forced to hand control of reverse charges to customers and provide compulsory free barring support, the current system is an invitation to abuse. On O2 I can bar premium shortcodes but only combined with barring international calls, they really don't want to do it and will do what it takes to discourage users.

0
0

So they intercept the HTTP requests (replies?) and add (substract) their own stuff (headers at least)? (If so one wonders to what end and with what excuse.)

2
0
Silver badge

Mostly they compress images so they are almost unrecognisable. Also makes it faster and use less bandwidth.

1
0
Silver badge

More

They also insert a javascript link into pages. To what end, I'm not sure.

1
0

My work BlackBerry is on O2 and it shows my number appearing in the header.

Still waiting for my first personal injury claim spam text though.

Lazy, lazy O2.

0
0
Silver badge
Meh

Lazy?

Lazy O2? I'd say the opposite - you have to go to some effort to create such a balls-up. I find it hard to believe it was an accident.

5
0
Anonymous Coward

Snap.

I bet the excuse will be accident or a 'rogue administrator' though.

1
1
Alert

Not really new though...

is it. This has been going on for years, since at least 2007.

Nice paper (pdf link)

https://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf

with a bit more info.

Also a list of headers found to be used

http://mobiforge.com/developing/blog/useful-x-headers

SC

1
0

Indeed - and O2 used to make all of this available, at least between 2001 and maybe 2005, when much more work was done by the WAP gateway. Very useful it was too, at least from a site admin's point of view. For a long time X-UP-SUBNO gave you some unique link to the SIM, and for brief periods the actual number was available too.

0
0
Stop

O2 Server Specific

Disconnecting and reconnecting to O2 (e.g. by toggling flight mode) until Lewis' page stops showing your effing number works in the mean time. That is until O2 fix this clusterf*ck.

1
0

Absolutely shocking

This is terrible.

2
0
Thumb Up

Piggybacked carriers?

Does this affect carriers that sit on O2's infrastructure? I want to be able to mock my Tesco Mobile-touting cheapskate friend...

0
1
Anonymous Coward

Yes it does.

0
0

My Tesco iphone doesn't appear to show the number

0
0

GiffGaff

I'm on GiffGaff and it doesn't include the header for me...

Not aware I've used any unusual settings, so unless O2 have fixed it since the article was published, it doesn't affect everyone.

0
0
FAIL

Even worse

If an O2, GiffGaff, or Tesco users visits wap.o2.co.uk from a 3G network, they will be automatically logged into their account, and be able to see billing details, etc.

If looks to me that O2 are using a combination of the 'x-up-calling-line-id' and the incoming user IP to authenticate users into their accounts on the wap.o2.co.uk website.

0
0
Go

Workaround

Users can work around this by using the username "bypass" in their APN settings rather than "o2web" or similar, this bypasses o2's proxy and prevents the number leak (as well as stopping the javascript link insertion and image compression o2's proxies also carry out).

This works for standard contracts, I have no idea whether PAYG or iPhone users can use the bypass username and still get a data connection.

6
0
Bronze badge
Thumb Up

Supposedly gives you a speed boost, no idea if that's true but anything that simplifies the service and cuts down on the crap O2 grab as you come through, has got to be a bonus!

0
0
Silver badge

Just tried this

from my Giffgaff connection and makes no difference.

0
0
Anonymous Coward

'bypass' doesn't work

On contract here - just tried 'bypass' as the APN, doesn't work. I just get 'Could not activate celluar data network - you are not subscribed to a cellular data service'.

0
0

still leaks the number on the Tesco network using 'bypass' username

0
0
Facepalm

Not so sure

I tried that and it worked... some times. After forcing a reconnect my number started showing up again though. Reverting to defaults produced exact same results i.e. some times I'd report my number and, after reconnecting to O2, others times not.

So I'd keep an eye on whether going the above works consistently for you - just because it was working doesn't mean your phones not had to reconnect behind the scenes (e.g. loss of signal) and O2 are giving world+dog your mobile number once again.

0
0
Anonymous Coward

Or just delete the proxy name and port from the Access point settings, which seems to enable you to reach https servers that dont have a signed certificate anyway

0
0

This doesn't work...

Am on contract and reset phone after setting APN login to bypass.

0
0

Same here on my iPhone 4. Bypass username does allow me to get a connection but my phone number is still viewable.

0
0
Thumb Up

Nice one - this has stopped my mobile number appearing in the http headers and internet access is now unbelievably quicker.

I'm on a Simplicity 30-day rolling contract, also had to change the APN from 'wap.o2.co.uk' (as advised by O2) to 'mobile.o2.co.uk' as well as setting Username to 'bypass'

0
0

Plus

O2 want you to pay £1 for the privilege of viewing any sites they deem unsuitable across their mobile network. Even if you've been a customer for 5+ years and you're blatently old enough.

0
1
Flame

I've found that phoning up and shouting at them is quite effective in this situation.

Especially mentioning that you're the contract holder and by law you have to be over 18 to sign a contract with them seems to be the kicker...

O2 put that ridiculous age barring on my phone 4 times before I left.

Overcharging me is one thing, but keeping a guy from his mobile grot is just a step too far!

0
0
Anonymous Coward

Seems fixed

My account not doing it with safari

0
0
Anonymous Coward

not just O2 ?

Last year, walking through a wood, I saw a sign for some paintball company, and I looked them up on my HTC/Vodafone phone (though NB I *hate* paintball with a passion), and a couple of weeks later I start getting texts from them. Am at a loss to understand why/how - proximity? Web headers?

0
0

Also applies to GiffGaff (just tested it at http://lew.io/headers.php)

0
0
FAIL

APN Change as temporaty workaround

Changing your APN settings to the below seems to take a different route through the operator network (or just applies different policies on the gateway) and prevents the header being appended;

APN: mobile.o2.co.uk

Username: bypass

Password: password

In other news, i'm suddently quite glad I moved to voda.

1
0
Silver badge
Childcatcher

Won't someone think of the children?

I started getting these "FreeMsg" spam texts last summer, after I moved from an iphone to a SGS2. I blamed Google, but it turns out they're not the guilty party.

Now if O2 are just handing out mobile numbers to every dodgy "enhancement" merchant or smut site, can they be done for exposing minors to inappropriate/obscene/illegal content? How are parents (rather than the government) supposed to protect their children if companies can just give this data away without consent?

0
0

You can take the mobile service out of BT, but you can't take the BT out of the mobile service.

(BT, synonymous with fail since 1984)

0
1
Anonymous Coward

How is this any worse than 3 and Vodafone sharing all your browsing habits with a US company that just happens to be subject to the PATRIOT act amongst other things, and all done often without the knowledge let alone consent of the customer (victim)?

0
3
Mushroom

If you were truly evil...

You could perhaps (and I'm not suggesting that anyone would want to do this).

Change your headers so that you had someone's phone number that you didn't like visit several websites that were less than trustworthy.

As I say I wouldn't recommend doing this but it wouldn't be difficult.

0
0
Silver badge
Boffin

Truly

You could, but not via the O2 network - the proxy would strip it out, or replace it. If you did it from outside the O2 network, the IP addresses wouldn't match and it would be obvious it was done manually.

0
0
FAIL

oops

Not only 3g, edge & gprs to ;(

1
0

Page:

This topic is closed for new posts.