O2 shares your mobile phone number with every website you visit

If you're reading this news article using your O2 mobile phone, you'll be pleased to know that O2 have already sent us your mobile phone number within the HTTP headers which normally contain information about how content can be displayed on your device. These headers are not normally seen by users, and usually not logged by most websites, but the flaw allows malicious sites to get more personal information about you than you may be willing to share.

For example, if you open an e-mail which includes references to external images, the mere action of opening the e-mail would divulge your phone number. This could be used by anyone undertaking a phishing attack or other scam to get more information from you. The opportunity to abuse this is potentially endless.

This issue was uncovered by @lewispeckover and has been confirmed by thinkbroadband as being correct, although by the time we took this photo, the issue seems to have stopped affecting the phone we tested:

This screenshot from an iPhone still shows the problem:



(click to view full screenshot) (click to view full screenshot)

We understand from other sources that it is still affecting some individuals, however we suspect O2 has been quick to start fixing the issue. Our suspicion is that the feature is used by internal O2 websites to identify the user trying to make changes to the account, but that one or more of O2's proxy servers have been misconfigured.

We have tested this on Vodafone ourselves and have found no trace of a similar problem

O2 users may be able to confirm if they are still affected by visiting Lewis Peckover's website here (external link), noting that by visiting the site, you're probably giving him your phone number (although we very much suspect he would be more careful with it).

Comments

Post a comment