Home » 

UK ISP News Archives

 » 
Sponsored Links

UPDATE6 O2 UK Mobile Internet Connections Expose Customers Phone Numbers

Posted: 25th Jan, 2012 By: MarkJ
mobile internet securityo2 broadband ukUPDATE: The problem has now been fixed (scroll to the bottom for more). Customers of O2 UK's Mobile Broadband services may be displeased to learn that their private phone numbers are allegedly being exposed to every website they visit from within the connections HTTP headers.

HTTP headers are used seamlessly every time you request to access a website. They tell the web server a little about how it should handle your connection (e.g. your language, what web browser you use, what web page you've requested etc.). So far.. so normal.

However Thinkbroadband and several customers have now confirmed that the HTTP headers being sent by at least some of O2's mobile internet connections also appear to be including the customers personal phone number! As a result any savvy web server admin could easily catch and extract this data for abuse.

o2_uk_http_header_mobile_security_blunder.gif

Thinkbroadband notes that the issue appears to be sporadic and doen't affect every connection, which could suggest a problem with the setup of O2's mobile proxy servers. Note that none of this affects O2's fixed line Home Broadband customers, only its mobile users.


At the time of writting we're still awaiting a reply from O2 and that should come soon. In the meantime mobile users might want to consider using the Opera Mini web browser, which speeds up web browsing by using its own proxy and thus should not expose your phone number to web servers.

UPDATE 10:29am

O2 has told ISPreview.co.uk that they are "investigating" the problem and promise to report back as soon as they can. In the meantime we're seeing more emails, tweets and comments from people whom have spotted the same problem on their connections. We just asked a family member to test and they found it too. We'll update again soon.

UPDATE 12:43pm

Customers of O2's Virtual Network Operators (MVNO), such as GiffGaff and Tesco Mobile, also appear to be reporting the same problem. Meanwhile O2 user and system admin, Lewis Peckover, has setup a simple test to see if your connection is affected (only applies to O2 users): http://lew.io/headers.php .

Lewis Peckover added:

"To answer some questions and responses I've seen - no, it's not anything client-side. O2 seem to be transparently proxying HTTP traffic and inserting this header.

Another annoying feature of O2 is that they interfere with the responses from servers too. They downgrade all images and insert a javascript link into the HTML of each page. I've talked to customer service about this lovely feature several times, but they never have a clue what I'm talking about, let alone any idea how to opt out/disable it."

Everybody is still waiting for O2 to respond and even the mainstream media has picked up on this now.

UPDATE 12:54pm

More bad news. According to Sophos, a German student (Collin Mulliner) first exposed the exact same security problem almost two years ago (March 2010) when he gave a presentation - 'Privacy Leaks in Mobile Phone Internet Access' - to the CanSecWest conference in Vancouver. Take note that the sites security certificate (above link) seems to be out of date. We've also added a video of the problem above.

UPDATE 2:22pm

The problem, which has been known about for two years (see above), now finally seems to be vanishing from some affected connections. Mind you we saw this earlier when others were still suffering from it.

No official update from O2 yet, although they continue to tell customers that "this sort of thing is very serious to us" (O2 Twitter) and is being treated "as a priority". We suspect that they're attempting to fix it before making any kind of announcement.

UPDATE 2:43pm

The BBC News has managed to grab a comment from the government's Information Commissioner's Office (ICO), which is worth a read.

ICO Statement

"When people visit a website via their mobile phone they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."

It's worth noting that many web servers also log http headers as part of normal processes (they usually don't contain anything of real worth) and some reports suggest that a few web masters are finding reams of personal O2 mobile phone numbers in those. We had a quick check of our own logs but they only store the standard request fields and not the O2 related ones.

UPDATE 4:18pm

O2 claims to have officially fixed the problem at 2pm today and has now explained what happened, which is much as we reported above. The operator also claims that the problem, which was apparently due to "technical changes" that occurred during "routine maintenance", began on 10th January 2012. During this period "there has been the potential for disclosure of customers’ mobile phone numbers to further website owners".

O2 Statement

Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.

We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.

We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.

Furthermore O2 has said that it's in touch with both the ICO and Ofcom over the incident, which has caused significant concern among many of their mobile internet users. A set of Q&As has been posted to answer some common questions.
Search ISP News
Search ISP Listings
Search ISP Reviews
 Latest UK ISP News
 Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £26.00
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £26.50 - 27.00
150Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
150,000+ Customers | View More ISPs
 Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £19.00
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £22.99
150Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Modest Availability | View More ISPs
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £26.00
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £26.50 - 27.00
150Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £19.00
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £22.99
150Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (5727)
  2. BT (3575)
  3. Politics (2606)
  4. Openreach (2342)
  5. Business (2325)
  6. Building Digital UK (2278)
  7. FTTC (2061)
  8. Mobile Broadband (2047)
  9. Statistics (1830)
  10. 4G (1730)
  11. Virgin Media (1677)
  12. Ofcom Regulation (1500)
  13. Fibre Optic (1428)
  14. Wireless Internet (1420)
  15. FTTH (1383)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules