O2 HTTP headers: update
It’s been about three weeks since the huge mobile internet security leak on O2. We thought we’d just give you a bit of a debrief of what exactly happened and the subsequent fallout.
Firstly, as we initially reported all mobile networks and virtual networks using O2‘s signal were found to be leaking private phone numbers to every website you visit using mobile internet. The information was being revealed through HTTP headers that are sent to web servers when you access them. In this case, O2 was adding a special HTTP header called x-up-calling-line-id which contained your phone number.
Once this was made public, a veritable media scrum occurred as outraged customers made their ire known across Twitter and the blogosphere. Even the Information Commissioner’s Office got involved:
When people visit a website via their mobile phone they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.
Due to this coverage, O2 scrambled together to get the issue fixed and by the early afternoon of 25th January 2012 our readers were reporting that their number was no longer being revealed to our HTTP header checker.
O2 also quickly published an official blog post apologising and explaining what happened and also clarified that the issue had been in effect all the way since the 10th of January.
Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.
As part of their apology, O2 also admitted:
We share mobile numbers with two age verification partners, for child protection purposes. For those customers that have not verified with us that they are over 18, we share your number with Bango.net and Eckoh.com who then verify your age before you are able to access sites with over 18 content.
In retrospect, it’s worth questioning whether this is at all a sensible way to carry out age verification. Instead of giving all age-verified sites a database of phone numbers and ages, surely it would be better to do this within the network? A simple HTTP header such a X-Over-18 and a value of Yes or No would surely be more suitable than providing people’s phone numbers and requiring the web service to do a database lookup? Worse, O2 still haven’t given a complete list of their “trusted partners” with whom they will still be sharing your phone number without your consent.
If you have any more questions about what this security breach entailed and how you might be affected, feel free to ask us in a comment.