We would love to stay in touch with you!

Enter your details to join our mailing list and we'll send you a link to exclusive content.

* indicates required
Close

O2 apologise to 3G customers for breach

by Luciana de Rossi  //  January 25, 2012  //  News  //  No comments

UK network provider O2 have today apologised to their 3G customers for accidentally providing their customers’ phone numbers to the websites that they visited.

Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.

We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.

We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.

When accessing a website, a user’s browser normally reveals some information about the request. Usually the browser identifies itself, its version and the operating system type and version (this appears in the USER_AGENT header). The head also sometimes identifies proxy servers (in the X_FORWARDED_FOR header). In this case, O2 were adding the mobile phone number associated with the handset in a new header HTTP_X_UP_CALLING_LINE_ID.

So how did this happen? O2 explain in their apology that they reveal a customers phone number purposefully in a number of situations. Firstly, if a website requires it for age verification, secondly, if the website is part of the O2 network and the number is required for accessing services, and thirdly, if the website wants to use the number for billing for premium services. In this case, those three rules had apparently been wiped out, and the number was available to all websites.

And does this happen elsewhere? Well, Collin Mulliner, a student at the Technical University in Berlin, wrote a paper about this for CanSecWest back in 2010. He identified a number of instances of HTTP requests being tagged with header information relating to the mobile phone number or SIM card information. In most cases, Mulliner discovered that this information was actually being added by proxy servers in provider networks which reformat pages for devices with small screens. As a result, it affected medium-price-range phones and not expensive, large-screen Android or iPhone devices.

So it would appear that this does occur regularly elsewhere in the world, but it looks like a first for O2. If you’re interested in checking your own 3G connection, Mulliner developed a website which analyses your headers and highlights anything that you might need to be concerned about. Remember to disable your WiFi before visiting the site.

About the Author

Luciana is a copy writer by profession with a specialist interest in Internet culture, cyber security and privacy.

Leave a Comment

comm comm comm