O2 leaks phone number through HTTP headers
Does your mobile network give your phone number to every website you visit? Check whether your mobile network is affecting using our HTTP header checker.
Today, millions of UK mobile users discovered that O2 is revealing their mobile number to every website they visit. Following a tweet last night from Lewis Peckover, O2 users have confirmed the security breach. This is a particularly serious vulnerability as it lets hackers and social engineers know your number, network and location (through IP address) or exposes you to spam marketers.
@lewispeckover
Lewis PeckoverSo, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?
20 hours ago via web
The leak occurs as O2 is silently proxying all web requests and adding in HTTP headers. For those that don’t know, HTTP headers are sent by all devices that access webpages and usually include important information to help with sending the request and receiving the internet site back. Web browsers can send any HTTP headers they like but they’re generally meant for things like language settings or for determining whether you’re on a phone or a computer. However, O2 have added an additional header called “x-up-calling-line-id” that reveals your personal phone number.
According to the UK’s Data Protection Act:
“A person must not knowingly or recklessly, without the consent of the data controller (a) obtain or disclose personal data or the information contained in personal data, or (b) procure the disclosure to another person of the information contained in personal data.”
As telephone numbers are classified as personally identifiable information under the Data Protection Act, this breach is also probably illegal. The furious reaction of O2 customers is currently going viral on Twitter and major news sources have already picked up the story. Meanwhile, a little-known talk given in 2010 by a Berlin-based security expert already warned against privacy leaks in mobile phone internet access.
O2 have already acknowledged the breach on Twitter this morning and we’ll update the site as we hear more.
UPDATE 13:00: This issue seems to have been fixed by now. Please let us know if you still find that your number is being exposed.
