back to article O2 leaks 3G users' mobile numbers to every website visited

O2 UK is dishing out its customers' mobile numbers like free sweeties to every website they visit over a 3G connection. The info leak was highlighted yesterday by O2 customer Lewis Peckover, who set up a little web tool that displays all the HTTP header information sent to sites by connecting web browsers. These strings of …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Oh SH*T!!!.

    This means El Reg, the BBC, Wikipedia, Chix with Dix and Yahoo Search have my number. It's a perfect cluster f*ck of embarassment... I mean, come on, who would own up to using Yahoo search these days??

    1. Ol'Peculier
      Meh

      Escept...

      They won't, unless some very control-freakish web admin has set the logs to record every HTTP header received, which would mean some amazingly big log files, and - on IIS at least - require some extra tweaking.

      1. Anonymous Coward
        Anonymous Coward

        parser

        Easy to extract number and discard dross, big logs really are not required...

      2. Anonymous Coward
        Anonymous Coward

        > unless some very control-freakish web admin has set the logs to record every HTTP header received,

        Google probably do. They have the resources to record and store everything in the headers.

    2. David Barrett

      Actually I think I know

      O2 have a mobile formatted My o2 site which would only work if you used your mobile data as opposed to home broadband to view it (unless you registered your home connection with them)

      This appears to have stopped working now... and the header seems to have gone..

      Could be interesting fudging someone elses phone number into the header and accessing that site as there was no authentication, Im betting you could view their bills, tarriff info and call history - ill certinally give this a shot when I get home tonight and attempt to get my partners data to display via my phone...

  2. Arrrggghh-otron

    Why would o2 do this?

    1. Anonymous Coward
      Anonymous Coward

      > Why would o2 do this?

      All part of the Web 3.0 strategy, now websites can easily call you back. Imagine how easy your life will now be. Incidentally O2 get paid termination fees for those calls.

      When HTML6 comes around you'll be able to call websites too, thereby making web browsers redundant as we move over to the Voice Web - until someone invents a modem that goes over that, completing the traditional IT cycle.

    2. big_D Silver badge

      Somebody probably got sloppy configuring the proxy server(s)

      1. Anonymous Coward
        Anonymous Coward

        Sloppy?

        It's clearly deliberate. The header is named for what it contains- it's not just stuck somewhere random.

    3. web_bod
      Facepalm

      "All our testing happens on the live server"

      Developer stupidity

  3. Paul Shirley

    looks like the crooks spotted this last year

    That would explain the bunch of text spam that started over xmas, the 1st time I used 3G data for quite some time and the crap started a few days in. Really must visit less dodgy sites I suppose ;)

    There were a lot of premium text spam scams being reported on giffgaff late last year. I'm ready to believe this is actively being used by sms spammers.

    1. Anonymous Coward
      Anonymous Coward

      Funny you say that!

      I finally shifted my O2 account to a fully 3G enabled jobbie with a new phone last November and since them I now get dodgy annoymous, I assume spam texts, coming to my phone now at the rate of at least 2 a week which never happened before I upgraded!

      1. Paul Shirley

        The good news is: if you start getting premium SMS (as happened to some users recently) you have a big stick to hit O2 with. Hiding behind 'you must of have signed up to it, talk to PhonePayPlus' is not a viable escape clause for them any longer.

        It's about time the networks were forced to hand control of reverse charges to customers and provide compulsory free barring support, the current system is an invitation to abuse. On O2 I can bar premium shortcodes but only combined with barring international calls, they really don't want to do it and will do what it takes to discourage users.

  4. Pseu Donyme

    So they intercept the HTTP requests (replies?) and add (substract) their own stuff (headers at least)? (If so one wonders to what end and with what excuse.)

    1. jonathanb Silver badge

      Mostly they compress images so they are almost unrecognisable. Also makes it faster and use less bandwidth.

    2. Annihilator

      More

      They also insert a javascript link into pages. To what end, I'm not sure.

  5. Lunatik

    My work BlackBerry is on O2 and it shows my number appearing in the header.

    Still waiting for my first personal injury claim spam text though.

    Lazy, lazy O2.

    1. Annihilator
      Meh

      Lazy?

      Lazy O2? I'd say the opposite - you have to go to some effort to create such a balls-up. I find it hard to believe it was an accident.

      1. Anonymous Coward
        Anonymous Coward

        Snap.

        I bet the excuse will be accident or a 'rogue administrator' though.

  6. ScaredyCat
    Alert

    Not really new though...

    is it. This has been going on for years, since at least 2007.

    Nice paper (pdf link)

    https://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf

    with a bit more info.

    Also a list of headers found to be used

    http://mobiforge.com/developing/blog/useful-x-headers

    SC

    1. trashbat

      Indeed - and O2 used to make all of this available, at least between 2001 and maybe 2005, when much more work was done by the WAP gateway. Very useful it was too, at least from a site admin's point of view. For a long time X-UP-SUBNO gave you some unique link to the SIM, and for brief periods the actual number was available too.

  7. NellyD
    Stop

    O2 Server Specific

    Disconnecting and reconnecting to O2 (e.g. by toggling flight mode) until Lewis' page stops showing your effing number works in the mean time. That is until O2 fix this clusterf*ck.

  8. Zilla

    Absolutely shocking

    This is terrible.

  9. Simbu
    Thumb Up

    Piggybacked carriers?

    Does this affect carriers that sit on O2's infrastructure? I want to be able to mock my Tesco Mobile-touting cheapskate friend...

    1. Anonymous Coward
      Anonymous Coward

      Yes it does.

    2. Paul 181

      My Tesco iphone doesn't appear to show the number

    3. Ian Yates

      GiffGaff

      I'm on GiffGaff and it doesn't include the header for me...

      Not aware I've used any unusual settings, so unless O2 have fixed it since the article was published, it doesn't affect everyone.

  10. Matt Bradley
    FAIL

    Even worse

    If an O2, GiffGaff, or Tesco users visits wap.o2.co.uk from a 3G network, they will be automatically logged into their account, and be able to see billing details, etc.

    If looks to me that O2 are using a combination of the 'x-up-calling-line-id' and the incoming user IP to authenticate users into their accounts on the wap.o2.co.uk website.

  11. Alex 0.1
    Go

    Workaround

    Users can work around this by using the username "bypass" in their APN settings rather than "o2web" or similar, this bypasses o2's proxy and prevents the number leak (as well as stopping the javascript link insertion and image compression o2's proxies also carry out).

    This works for standard contracts, I have no idea whether PAYG or iPhone users can use the bypass username and still get a data connection.

    1. The Fuzzy Wotnot
      Thumb Up

      Supposedly gives you a speed boost, no idea if that's true but anything that simplifies the service and cuts down on the crap O2 grab as you come through, has got to be a bonus!

      1. Dr. Mouse Silver badge

        Just tried this

        from my Giffgaff connection and makes no difference.

        1. ed2020

          Same here on my iPhone 4. Bypass username does allow me to get a connection but my phone number is still viewable.

    2. xargle

      This doesn't work...

      Am on contract and reset phone after setting APN login to bypass.

    3. Crady

      still leaks the number on the Tesco network using 'bypass' username

    4. Anonymous Coward
      Anonymous Coward

      'bypass' doesn't work

      On contract here - just tried 'bypass' as the APN, doesn't work. I just get 'Could not activate celluar data network - you are not subscribed to a cellular data service'.

    5. Anonymous Coward
      Anonymous Coward

      Or just delete the proxy name and port from the Access point settings, which seems to enable you to reach https servers that dont have a signed certificate anyway

    6. NellyD
      Facepalm

      Not so sure

      I tried that and it worked... some times. After forcing a reconnect my number started showing up again though. Reverting to defaults produced exact same results i.e. some times I'd report my number and, after reconnecting to O2, others times not.

      So I'd keep an eye on whether going the above works consistently for you - just because it was working doesn't mean your phones not had to reconnect behind the scenes (e.g. loss of signal) and O2 are giving world+dog your mobile number once again.

    7. Anonymous Coward
      Thumb Up

      Nice one - this has stopped my mobile number appearing in the http headers and internet access is now unbelievably quicker.

      I'm on a Simplicity 30-day rolling contract, also had to change the APN from 'wap.o2.co.uk' (as advised by O2) to 'mobile.o2.co.uk' as well as setting Username to 'bypass'

  12. probedb

    Plus

    O2 want you to pay £1 for the privilege of viewing any sites they deem unsuitable across their mobile network. Even if you've been a customer for 5+ years and you're blatently old enough.

    1. Tibbs
      Flame

      I've found that phoning up and shouting at them is quite effective in this situation.

      Especially mentioning that you're the contract holder and by law you have to be over 18 to sign a contract with them seems to be the kicker...

      O2 put that ridiculous age barring on my phone 4 times before I left.

      Overcharging me is one thing, but keeping a guy from his mobile grot is just a step too far!

  13. Anonymous Coward
    Anonymous Coward

    Seems fixed

    My account not doing it with safari

  14. Matt 29
    FAIL

    APN Change as temporaty workaround

    Changing your APN settings to the below seems to take a different route through the operator network (or just applies different policies on the gateway) and prevents the header being appended;

    APN: mobile.o2.co.uk

    Username: bypass

    Password: password

    In other news, i'm suddently quite glad I moved to voda.

  15. Shaun...

    Also applies to GiffGaff (just tested it at http://lew.io/headers.php)

  16. Anonymous Coward
    Anonymous Coward

    not just O2 ?

    Last year, walking through a wood, I saw a sign for some paintball company, and I looked them up on my HTC/Vodafone phone (though NB I *hate* paintball with a passion), and a couple of weeks later I start getting texts from them. Am at a loss to understand why/how - proximity? Web headers?

  17. Red Bren
    Childcatcher

    Won't someone think of the children?

    I started getting these "FreeMsg" spam texts last summer, after I moved from an iphone to a SGS2. I blamed Google, but it turns out they're not the guilty party.

    Now if O2 are just handing out mobile numbers to every dodgy "enhancement" merchant or smut site, can they be done for exposing minors to inappropriate/obscene/illegal content? How are parents (rather than the government) supposed to protect their children if companies can just give this data away without consent?

  18. b166er

    You can take the mobile service out of BT, but you can't take the BT out of the mobile service.

    (BT, synonymous with fail since 1984)

  19. Anonymous Coward
    Anonymous Coward

    How is this any worse than 3 and Vodafone sharing all your browsing habits with a US company that just happens to be subject to the PATRIOT act amongst other things, and all done often without the knowledge let alone consent of the customer (victim)?

  20. rwbthatisme
    FAIL

    oops

    Not only 3g, edge & gprs to ;(

  21. Ben Best
    Mushroom

    If you were truly evil...

    You could perhaps (and I'm not suggesting that anyone would want to do this).

    Change your headers so that you had someone's phone number that you didn't like visit several websites that were less than trustworthy.

    As I say I wouldn't recommend doing this but it wouldn't be difficult.

    1. Annihilator
      Boffin

      Truly

      You could, but not via the O2 network - the proxy would strip it out, or replace it. If you did it from outside the O2 network, the IP addresses wouldn't match and it would be obvious it was done manually.

    2. David Gosnell

      2G browsing too

      Yep, not quite sure where the 3G-only notion came from but have heard it bandied around in various places. The fact that this has been being done for many years should be the giveaway... Bit of a storm in a tea-cup given the logging requirements for exploitation (and lack of evidence of any dodgy use that I am aware of), but still glad it's finally been stomped on.

  22. druck Silver badge
    Happy

    Not happening on my O2 business account, before after toggling airplane mode.

  23. Anonymous Coward
    Anonymous Coward

    GiffGaff user

    My number isn't showing "x-up-calling-line-id" when I view headers on my own site or on lew.io.

    wap.o2.co.uk "My O2" service is currently saying "We're sorry this service is currently unavailable. Please try later or contact O2 Customer Service."

  24. Craigo

    Bypass

    Good job I've been using mobile.o2.co.uk and bypass since I got my first Windows Mobile smartphone (O2 Orbit / WinMo 6) though it was for the image compression reasons.

    I think 3 may be at least using the headers too as I can auto log in to my mobile broadband account just by opening the page. Whether or not it leaks I'll have to find out.

  25. Christian Berger Silver badge

    Wow! That would be highly illegal in many countries

    Like for example in Germany, messing with the web traffic is in principle a criminal offense. However even in Germany companies are not actually punishable.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019