// Home / News

O2 accused of leaking phone numbers to websites

By Stewart Mitchell

Posted on 25 Jan 2012 at 10:09

O2 is facing a privacy backlash from users after reports emerged that the company was sharing subscribers' mobile numbers to websites they visit.

The potentially damaging privacy breach was spotted by system administrator Lewis Peckover, who posted details of how he spotted mobile phone number details when visitors went to his website from their handsets.

Peckover released a script showing the information he receives, saying it included phone numbers and claimed that data was not client-side, meaning the data had to come from O2.

It is logical to conclude that this same information is sent to all other websites too

“O2 seems to be transparently proxying HTTP traffic and inserting this header,” he said. “If you're on O2's UK mobile network (not ADSL), you'll (probably) see a line beginning with x-up-calling-line-id - followed by your mobile phone number in plain text.

“It is logical to conclude that this same information is sent to all other websites too,” he added.

O2 said it was still looking into the claims.

Criticism

O2 faces an angry backlash from users who saw this discovery as a serious data breach, and it will need to act quickly to halt a wave of Twitter disapproval.

“If you want your customers to feel safe, you must disable the proxy immediately, then deal with the wider issues,” said Alexander Hanff, managing director of Think Privacy via his Twitter feed. “RIPA now carries penalties for 'accidental breach' and O2 needs to be held to account for this, numbers effected could be high.

"The longer this proxy is left running the more significant the breach becomes and hundreds of thousands of customers risk exposure."

Hanff highlighted how rogue websites could misuse the information, by manipulating tools such as Gmail's two-factor authentification that uses phone numbers for verification, adding “the gravity of this issue is huge”.

Customers worried

Industry insiders said they were already seeing serious concerns from customers that could be affected by the issue.

“I think O2 have dropped a major one with the phone-number-in-headers thing,” said IT company Wrenthorpe Consultancy on its Twitter feed.

“My morning's being spent dealing with clients who are extremely worried - huge privacy/security concerns.”

According to Wrenthorpe, the issue wasn't restricted to O2, but also affected Tesco Mobile and GiffGaff customers, which are virtual networks using the mobile operator's infrastructure.

"We're currently aware of an issue where mobile number information could be being shared in HTTP headers when browsing the mobile internet through headers on your 3G service," a GiffGaff spokesperson said in a statement.

"At GiffGaff, the privacy and security of our customers is our utmost concern," he added. "We are investigating the reports of what appears to be an O2 network issue as a priority, and will be back to you here as soon as we hear anything more."

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here

From around the web

User comments

Grammar error from the Managing Director

"numbers effected could be high"; should be "affected".

You'd think a highly paid professional would know better!

By BornOnTheCusp on 25 Jan 2012

Windows Phones

I'm on 02 and have a Windows Phone and I don't see my number in the webpage. Looks like Windows Phone users are not affected.

By henry20012 on 25 Jan 2012

@henry20012

They are affected. Try turning your wifi network conneciton off so you go over O2's network. I've just tried it from my HTC HD7 and there was my phone number in all it's plain text glory!

By stephen_d_morris on 25 Jan 2012

I'm on O2 but via CarphoneWarehouse. The issue does not appear to affect me.

By Jahnold on 25 Jan 2012

Not me either

Doesn't seem to affect me either: using O2 phone, wifi turned off and Dolphin Browser.

By mo_bailey on 25 Jan 2012

Not me either

Doesn't seem to affect me either: using O2 phone, wifi turned off and Dolphin Browser.

By mo_bailey on 25 Jan 2012

Not me either

Doesn't seem to affect me either: using O2 phone, wifi turned off and Dolphin Browser.

By mo_bailey on 25 Jan 2012

Nor me

Windows Mobile 6.5 (remember that?) on giffgaff. I don't see this using either Pocket IE or Opera Mobile.

BUT I do have the adult content filter disabled so maybe that's why.

By TBennett on 25 Jan 2012

Didn't see mine either - O2, Android phone with default browser. Wifi off.

By artiss on 25 Jan 2012

Actually...

...reading his Twitter feed it looks like O2 may have now resolved the problem.

By artiss on 25 Jan 2012

Imagine...

this post is a long list of insults peppered with expletives and you'll understand how I'm feeling right now.

By dubiou on 25 Jan 2012

@stephen_d_morris

Yep, turned my wifi off then went to the page, but could not see my number.

By henry20012 on 25 Jan 2012

I'm on O2 and I didn't see my number though the problem has been fixed.

Also I believe anyone using Opera would not be affected as you browse through Opera's servers.

By james016 on 25 Jan 2012

It has been fixed

http://www.theregister.co.uk/2012/01/25/o2_stop_ph
one_number_leak/

By james016 on 25 Jan 2012

"Doesn't seem to affect me either: using O2 phone, wifi turned off and Dolphin Browser."

Well the issue has now been fixed, so you wouldn't be able to replicate it now.

By Lacrobat on 26 Jan 2012

Leave a comment

You need to Login or Register to comment.

Most Commented News Stories

More From PC Pro

Latest Blog Posts

Latest Reviews

Latest Real World Computing

Sponsored Links