O2 Privacy Flaw Sends Users' Mobile Numbers to Visited Websites

Submitted by Dan; January 27, 2012


Think Broadband notes on a privacy flaw in the way UK carrier O2 handles web traffic on mobile devices has resulted in users' mobile numbers being sent to any website visited from the device as part of the headers in the HTTP requests. While O2 is apparently still investigating the situation, it appears to have the potential for significant privacy-related issues. Think Broadband writes that: "If you're reading this news article using your O2 mobile phone, you'll be pleased to know that O2 have already sent us your mobile phone number within the HTTP headers which normally contain information about how content can be displayed on your device. These headers are not normally seen by users, and usually not logged by most websites, but the flaw allows malicious sites to get more personal information about you than you may be willing to share. For example, if you open an e-mail which includes references to external images, the mere action of opening the e-mail would divulge your phone number. This could be used by anyone undertaking a phishing attack or other scam to get more information from you. The opportunity to abuse this is potentially endless." This issue was discovered by Twitter user @lewispeckover, who then set up a website to allow users to see what headers are being sent as part of their HTTP requests to websites. He notes that the headers coming from his device appear to have stopped showing his mobile phone number, although O2 has yet to issue an official statement on the matter. The company's Twitter account is continuing to blast out responses to concerned users, noting only that the company is looking into the situation and will issue an update when it knows more.


Tags: http headers, iphone, mobile number http headers, o2, UK