27 February 2012 ~ 0 Comments

O2 HTTP headers: update

It’s been about three weeks since the huge mobile internet security leak on O2. We thought we’d just give you a bit of a debrief of what exactly happened and the subsequent fallout.

Firstly, as we initially reported all mobile networks and virtual networks using O2‘s signal were found to be leaking private phone numbers to every website you visit using mobile internet. The information was being revealed through HTTP headers that are sent to web servers when you access them. In this case, O2 was adding a special HTTP header called x-up-calling-line-id which contained your phone number.

Once this was made public, a veritable media scrum occurred as outraged customers made their ire known across Twitter and the blogosphere. Even the Information Commissioner’s Office got involved:

When people visit a website via their mobile phone they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.

Due to this coverage, O2 scrambled together to get the issue fixed and by the early afternoon of 25th January 2012 our readers were reporting that their number was no longer being revealed to our HTTP header checker.

O2 also quickly published an official blog post apologising and explaining what happened and also clarified that the issue had been in effect all the way since the 10th of January.

Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.

As part of their apology, O2 also admitted:

We share mobile numbers with two age verification partners, for child protection purposes. For those customers that have not verified with us that they are over 18, we share your number with Bango.net and Eckoh.com who then verify your age before you are able to access sites with over 18 content.

In retrospect, it’s worth questioning whether this is at all a sensible way to carry out age verification. Instead of giving all age-verified sites a database of phone numbers and ages, surely it would be better to do this within the network? A simple HTTP header such a X-Over-18 and a value of Yes or No would surely be more suitable than providing people’s phone numbers and requiring the web service to do a database lookup? Worse, O2 still haven’t given a complete list of their “trusted partners” with whom they will still be sharing your phone number without your consent.

If you have any more questions about what this security breach entailed and how you might be affected, feel free to ask us in a comment.

Continue Reading

Tags: , , , , ,

25 January 2012 ~ 0 Comments

O2 leaks phone number through HTTP headers

Does your mobile network give your phone number to every website you visit? Check whether your mobile network is affecting using our HTTP header checker.

Today, millions of UK mobile users discovered that O2 is revealing their mobile number to every website they visit. Following a tweet last night from Lewis Peckover, O2 users have confirmed the security breach. This is a particularly serious vulnerability as it lets hackers and social engineers know your number, network and location (through IP address) or exposes you to spam marketers.

So, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal? 20 hours ago via web

The leak occurs as O2 is silently proxying all web requests and adding in HTTP headers. For those that don’t know, HTTP headers are sent by all devices that access webpages and usually include important information to help with sending the request and receiving the internet site back. Web browsers can send any HTTP headers they like but they’re generally meant for things like language settings or for determining whether you’re on a phone or a computer. However, O2 have added an additional header called “x-up-calling-line-id” that reveals your personal phone number.

According to the UK’s Data Protection Act:

“A person must not knowingly or recklessly, without the consent of the data controller (a) obtain or disclose personal data or the information contained in personal data, or (b) procure the disclosure to another person of the information contained in personal data.”

As telephone numbers are classified as personally identifiable information under the Data Protection Act, this breach is also probably illegal. The furious reaction of O2 customers is currently going viral on Twitter and major news sources have already picked up the story. Meanwhile, a little-known talk given in 2010 by a Berlin-based security expert already warned against privacy leaks in mobile phone internet access.

O2 have already acknowledged the breach on Twitter this morning and we’ll update the site as we hear more.

UPDATE 13:00: This issue seems to have been fixed by now. Please let us know if you still find that your number is being exposed.

Continue Reading

Tags: ,

08 December 2011 ~ 0 Comments

Siri: privacy and broken promises

When the iPhone 4S came out earlier this year, most people’s first reaction was disappointment and asking whether anyone knew the new iPhone 5 release date. However, once Siri had been demonstrated, people were less bothered that it was called the iPhone 4S rather than the iPhone 5.

Siri is automated voice-controlled personal assistant software. In the words of Apple, Siri lets you use your voice to send messages, schedule meetings, place phone calls, and more. When you talk, it understands what you say, knows what you mean, and even talks back. However, because it runs in the cloud on Apple’s servers, Siri raises some interesting questions. We recently came across a thought-provoking article about the privacy implications of letting Apple know everything you say to Siri.

While it is not clear how much of the Siri solution is powered by the cloud and how much resides natively on the device, everything that I have read and heard suggests that there is a good deal of processing taking place in the cloud. In other words, Apple’s cloud services are in some way processing your appointments, text messages, location, commands etc. This theoretically means that Apple “knows” as much about you as your personal assistant. Scared yet?

Because Siri is learning software and because it adapts to the way you use it, Apple is tracking more and more information about the way you are and the things you do. Furthermore, if they ever release an API, third party developers might gain access to this information. While hopefully all data sent up to Apple’s servers is anonymised, there are still pertinent privacy questions to be answered.

On the subject of Siri, questions about its usefulness are emerging now people are no longer wowed by the initial thrill of a phone talking back to them and are, instead, seeing whether it has a place in their daily lives. Over on Gizmodo, they are branding Siri “a lie, and worse, a broken promise“.

…For me, once the novelty wore off, what I found was that Siri is not so intelligent after all—it’s simply another voice program that will obey very specific commands. If it knows those commands. If it can understand you. And if it has a network connection. Were this Google, or Microsoft, I’d shrug. But it’s not, it’s Apple. And Apple is the company that sells perfection. It’s a company that usually keeps its promises, and in its Siri ads, it promises far more than what it actually delivers.

What about you – what do you think about Siri? Do you trust Apple with your private data or do you think it’s a good idea not to tell them every aspect of your life? Do you think that it’s a dumb gimmick that is no use in the real world or is Siri the start of the revolution?

Even though we have found some fantastic iPhone 4S deals, we think the risk of the following is enough to put us off it 🙂

Continue Reading