O2 caught sending mobile phone numbers to websites
Claims issue occurred due to maintenance error
By John E Dunn | Techworld | Published: 14:20, 25 January 2012
UK network O2 has found itself at the centre of an embarrassing data privacy storm after it emerged that it allows websites to see the mobile numbers of all subscribers that browse the Internet using its 3G data service.
The controversy was set off by a single O2 user, Lewis Peckover, who noticed that his mobile number was being sent to every website embedded in plain text as part of the http header.
Extraordinarily, the numbers appears to be forwarded by O2’s own servers when users connect to the Internet through its 3G service; anyone using a WiFi connection will not be affected because they are not traversing that infrastructure.
Related Articles on Techworld
Given the potential for websites to capture numbers for text spamming, annoyed users have bombarded O2’s Twitter feed with complaints to which the network found itself responding with a stock tweet to every user who raised the issue.
“Hi there, we're looking into this as we speak - it's important to us. Once we've got an update, we'll share it,” tweeted O2.
It turns out that the issue is not new. Graham Cluley of Sophos points out that the issue was first made public in March 2010 at the CanSecWest conference in Vancouver by researcher Collin Mulliner.
The proxying by O2 is not particularly surprising, indeed all mobile networks probably do it to optimise web traffic to cross their hard-pressed 3G networks efficiently. The question is why O2 thinks it important to insert a sensitive piece of information such as a mobile phone number into data sent to websites.
It could just be inserted automatically without the intention having been to give websites the ability to see phone numbers.
So far rival networks – Vodafone, 3 and Orange/T-Mobile - don’t appear to be affected by the number forwarding issue.
O2 later released a statement confirming the forwarding issue had occurred due to a routine maintenance error between 10 and 25 January 2012 which it said it had now rectified.
"We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused," O2 said.
