O2 leaks 3G users' mobile numbers to every website visited O2 UK is dishing out its customers' mobile numbers like free sweeties to every website they visit over a 3G connection. The info leak was highlighted yesterday by O2 customer Lewis Peckover, who set up a little web tool that displays all the HTTP header information sent to sites by connecting web browsers. These strings of …
O2 have a mobile formatted My o2 site which would only work if you used your mobile data as opposed to home broadband to view it (unless you registered your home connection with them)
This appears to have stopped working now... and the header seems to have gone..
Could be interesting fudging someone elses phone number into the header and accessing that site as there was no authentication, Im betting you could view their bills, tarriff info and call history - ill certinally give this a shot when I get home tonight and attempt to get my partners data to display via my phone...
> Why would o2 do this?
All part of the Web 3.0 strategy, now websites can easily call you back. Imagine how easy your life will now be. Incidentally O2 get paid termination fees for those calls.
When HTML6 comes around you'll be able to call websites too, thereby making web browsers redundant as we move over to the Voice Web - until someone invents a modem that goes over that, completing the traditional IT cycle.
That would explain the bunch of text spam that started over xmas, the 1st time I used 3G data for quite some time and the crap started a few days in. Really must visit less dodgy sites I suppose ;)
There were a lot of premium text spam scams being reported on giffgaff late last year. I'm ready to believe this is actively being used by sms spammers.
The good news is: if you start getting premium SMS (as happened to some users recently) you have a big stick to hit O2 with. Hiding behind 'you must of have signed up to it, talk to PhonePayPlus' is not a viable escape clause for them any longer.
It's about time the networks were forced to hand control of reverse charges to customers and provide compulsory free barring support, the current system is an invitation to abuse. On O2 I can bar premium shortcodes but only combined with barring international calls, they really don't want to do it and will do what it takes to discourage users.
is it. This has been going on for years, since at least 2007.
Nice paper (pdf link)
https://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf
with a bit more info.
Also a list of headers found to be used
http://mobiforge.com/developing/blog/useful-x-headers
SC
Indeed - and O2 used to make all of this available, at least between 2001 and maybe 2005, when much more work was done by the WAP gateway. Very useful it was too, at least from a site admin's point of view. For a long time X-UP-SUBNO gave you some unique link to the SIM, and for brief periods the actual number was available too.
If an O2, GiffGaff, or Tesco users visits wap.o2.co.uk from a 3G network, they will be automatically logged into their account, and be able to see billing details, etc.
If looks to me that O2 are using a combination of the 'x-up-calling-line-id' and the incoming user IP to authenticate users into their accounts on the wap.o2.co.uk website.
Users can work around this by using the username "bypass" in their APN settings rather than "o2web" or similar, this bypasses o2's proxy and prevents the number leak (as well as stopping the javascript link insertion and image compression o2's proxies also carry out).
This works for standard contracts, I have no idea whether PAYG or iPhone users can use the bypass username and still get a data connection.
I tried that and it worked... some times. After forcing a reconnect my number started showing up again though. Reverting to defaults produced exact same results i.e. some times I'd report my number and, after reconnecting to O2, others times not.
So I'd keep an eye on whether going the above works consistently for you - just because it was working doesn't mean your phones not had to reconnect behind the scenes (e.g. loss of signal) and O2 are giving world+dog your mobile number once again.
I've found that phoning up and shouting at them is quite effective in this situation.
Especially mentioning that you're the contract holder and by law you have to be over 18 to sign a contract with them seems to be the kicker...
O2 put that ridiculous age barring on my phone 4 times before I left.
Overcharging me is one thing, but keeping a guy from his mobile grot is just a step too far!
Changing your APN settings to the below seems to take a different route through the operator network (or just applies different policies on the gateway) and prevents the header being appended;
APN: mobile.o2.co.uk
Username: bypass
Password: password
In other news, i'm suddently quite glad I moved to voda.
Last year, walking through a wood, I saw a sign for some paintball company, and I looked them up on my HTC/Vodafone phone (though NB I *hate* paintball with a passion), and a couple of weeks later I start getting texts from them. Am at a loss to understand why/how - proximity? Web headers?
I started getting these "FreeMsg" spam texts last summer, after I moved from an iphone to a SGS2. I blamed Google, but it turns out they're not the guilty party.
Now if O2 are just handing out mobile numbers to every dodgy "enhancement" merchant or smut site, can they be done for exposing minors to inappropriate/obscene/illegal content? How are parents (rather than the government) supposed to protect their children if companies can just give this data away without consent?
Yep, not quite sure where the 3G-only notion came from but have heard it bandied around in various places. The fact that this has been being done for many years should be the giveaway... Bit of a storm in a tea-cup given the logging requirements for exploitation (and lack of evidence of any dodgy use that I am aware of), but still glad it's finally been stomped on.
You could perhaps (and I'm not suggesting that anyone would want to do this).
Change your headers so that you had someone's phone number that you didn't like visit several websites that were less than trustworthy.
As I say I wouldn't recommend doing this but it wouldn't be difficult.
Good job I've been using mobile.o2.co.uk and bypass since I got my first Windows Mobile smartphone (O2 Orbit / WinMo 6) though it was for the image compression reasons.
I think 3 may be at least using the headers too as I can auto log in to my mobile broadband account just by opening the page. Whether or not it leaks I'll have to find out.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
