O2 3G stops giving punters' mobile numbers to websites
After a flurry of complaints, O2 engineers appear to have shut off the proxy server quirk that leaked to websites the phone numbers of punters browsing the net on 3G connections. The disclosure that affected all users of O2's 3G network on iPhone and Android in the UK was highlighted earlier today. O2 has yet to issue an …
This topic is closed for new posts.
At least they listen
Not saying that it shouldn't have happened, but at least they took action.
Confirmed
No longer happenning on my Giffgaff connection.
You don't think
the techies at O2 are spending their work time reading El Reg?!
Or
The deluge of press requests from a number of sites including el Reg, plus the fact their @O2 Twitter feed exploded with complaints!
Good to see social networking working as it should :D
"After the break, we at pot central have proof that the kettle is black."
strange emails from O2
I wonder if the strange email from o2@o2-email.co.uk is related to this change?
Anyone else get an email containing '6565' at around 1pm?
Mine had 666 with instructions to place the phone screen against my forehead and press hard.
Not just 3G
Still seeing references to this affecting only 3G, or only iPhones / Androids. It affected ALL traffic going through O2's web proxies, so affected ALL phones equally regardless of generation.
Yep..... I've got an old LG, 2.5G, it also had the number added to the headers.
Since I almost never use that to browse with, and use Opera Mini when I do, it won't have been an issue for me.
How long had this been going on?
Was it a recent error or had they been doing this for years?
First highlighted in something like 2009, when a number of networks were fingered for doing much the same. Goodness knows how long previously to that, but we can safely assume it had didn't start right then.
Headers
I've read somewhere else today that every network has the number attached as one of the headers whilst it's floating inside their own network, for billing, diagnostics etc. but is stripped out before being sent outside.
So my guess is somebody ran a test and forgot to put the filter back on.
About time too
It would be ridiculous if every website got your phone number
Regards
Mark Jones
Consultant
07744 4385931
Giff Gaff
Really? I've got no data connection at all on Giff Gaff, christ knows what they've done.
Another change
As of today, there's a daily limit to how much data you can use on PAYG. It used to be that even if you went over the bolt-on limits etc, you could use as much as you liked for £1 a day. Now I've just got a message saying I've used today's maximum (don't know what that is).
I suspect they had to change some kit to enable this, and misconfigured it/left the default configuration in place.
Re: The "Unlimited" Limit
If I vaguely remember correctly, that was changed from either 100MB or 200MB (according to their verbal T&Cs on the "Bolt Ons info" IVR section) to something ridiculously low (either 10MB or 50MB) , a few months ago - presumably as a result of people abusing it for streaming media.
(I'll admit that I used to use Mobbler quite heavily over UMTS, whilst commuting to university, after I figured out how to tune its bitrate settings, so that tracks didn't play at twice their proper speed).
Controlled trial
I have two devices connected through O2. One is my regular 'phone, and its number is public, easy to find, and known by many. The other is my pocket-puter, whose number I make no attempt to remember, and never give to anyone, but which gets used for almost all my web access on the move (with the exception of railtrack, whose website works much better on the smaller phone).
Observation: the phone whose number is public gets all the spam.
Inference: spammers aren't abusing the information formerly sent to them by O2. I expect they hadn't discovered it.
However...
A few giffgaff (O2 MVNO) newbies report increased levels of SMS spam (accident compensation scams and the like) since porting in. Coincidence, insider selling details, or this flaw? Who knows...
IMO the whole thing is rather overstated, with the risk being theoretical more than practical, but not 100% reassuringly so. I'd imagine ad servers have been above-averagely aggressive in harvesting the information.
This topic is closed for new posts.
