UPDATE: The problem has now been fixed (scroll to the bottom for more). Customers of O2 UK's Mobile Broadband services may be displeased to learn that their private phone numbers are allegedly being exposed to every website they visit from within the connections HTTP headers.

HTTP headers are used seamlessly every time you request to access a website. They tell the web server a little about how it should handle your connection (e.g. your language, what web browser you use, what web page you've requested etc.). So far.. so normal.

However Thinkbroadband and several customers have now confirmed that the HTTP headers being sent by at least some of O2's mobile internet connections also appear to be including the customers personal phone number! As a result any savvy web server admin could easily catch and extract this data for abuse.


Thinkbroadband notes that the issue appears to be sporadic and doen't affect every connection, which could suggest a problem with the setup of O2's mobile proxy servers. Note that none of this affects O2's fixed line Home Broadband customers, only its mobile users.


At the time of writting we're still awaiting a reply from O2 and that should come soon. In the meantime mobile users might want to consider using the Opera Mini web browser, which speeds up web browsing by using its own proxy and thus should not expose your phone number to web servers.

UPDATE 10:29am

O2 has told ISPreview.co.uk that they are "investigating" the problem and promise to report back as soon as they can. In the meantime we're seeing more emails, tweets and comments from people whom have spotted the same problem on their connections. We just asked a family member to test and they found it too. We'll update again soon.

UPDATE 12:43pm

Customers of O2's Virtual Network Operators (MVNO), such as GiffGaff and Tesco Mobile, also appear to be reporting the same problem. Meanwhile O2 user and system admin, Lewis Peckover, has setup a simple test to see if your connection is affected (only applies to O2 users): http://lew.io/headers.php .


Everybody is still waiting for O2 to respond and even the mainstream media has picked up on this now.

UPDATE 12:54pm

More bad news. According to Sophos, a German student (Collin Mulliner) first exposed the exact same security problem almost two years ago (March 2010) when he gave a presentation - 'Privacy Leaks in Mobile Phone Internet Access' - to the CanSecWest conference in Vancouver. Take note that the sites security certificate (above link) seems to be out of date. We've also added a video of the problem above.

UPDATE 2:22pm

The problem, which has been known about for two years (see above), now finally seems to be vanishing from some affected connections. Mind you we saw this earlier when others were still suffering from it.

No official update from O2 yet, although they continue to tell customers that "this sort of thing is very serious to us" (O2 Twitter) and is being treated "as a priority". We suspect that they're attempting to fix it before making any kind of announcement.

UPDATE 2:43pm

The BBC News has managed to grab a comment from the government's Information Commissioner's Office (ICO), which is worth a read.


It's worth noting that many web servers also log http headers as part of normal processes (they usually don't contain anything of real worth) and some reports suggest that a few web masters are finding reams of personal O2 mobile phone numbers in those. We had a quick check of our own logs but they only store the standard request fields and not the O2 related ones.

UPDATE 4:18pm

O2 claims to have officially fixed the problem at 2pm today and has now explained what happened, which is much as we reported above. The operator also claims that the problem, which was apparently due to "technical changes" that occurred during "routine maintenance", began on 10th January 2012. During this period "there has been the potential for disclosure of customers’ mobile phone numbers to further website owners".


Furthermore O2 has said that it's in touch with both the ICO and Ofcom over the incident, which has caused significant concern among many of their mobile internet users. A set of Q&As has been posted to answer some common questions.