O2 Mobile Phone Privacy Leak: Your Mobile Number Sent To Websites You Visit
Mobile phone users on the UK's O2 network are having their mobile phone numbers unwittingly exposed when they search the web.
The private numbers are left on websites when browsing the internet using the O2 3G network.
A line of code embedded by O2 in the top of each webpage includes a line that lists the phone number of the handest being used.
The code can be seen below.
We tested the phone of an O2 user at The Huffington Post, and below you can see the code with the user's private phone number blurred out.
The privacy breach was brought to O2's attention by Lewis Peckover, 28 from London, a system administrator working for a company specialising in mobile gaming.
"Yesterday lunchtime we were looking at ways to verify a user is on a particular device/mobile network etc. Looking at the information my own phone was sending, I was shocked to see it was going to be rather easier than I expected," he told Huffington Post via email.
"O2's initial response on Twitter said 'The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device'. I replied saying that was rubbish, they then said they're looking in to it. Nothing further since. Frankly I'm amazed they haven't disabled this yet. It's still working as of this moment."
Peckover says the privacy implications are worrying. "For example, ad-networks will be receiving the header from any site you visit with their ads embedded. It also opens people up to possible harassment via social engineering attacks - send someone a link, get them to view it on their phone, and voila, you have their number, etc."
The issue was first brought to attention in 2010, according to Graham Graham Cluley, senior technology consultant at Sophos.
On his blog today, Cluley wrote that Berlin student Collin Mulliner the leaky code in March 2010 at the CanSecWest conference in Vancouver. The student presented a paper on the topic entitled "Privacy Leaks in Mobile Phone Internet Access".
Cluley said "People just don't expect to have their phone numbers exposed to websites. It could be revealed to phishers or spammers. People receive spam via text just like they do via email."
O2 were contacted by Huffington Post for comment and said they were not aware that the issue was previously raised in 2010, and that they are looking in to the current issue.
At 4pm on 25 January 2012, an O2 spokesperson told Huffington Post via email: "We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners. We have investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused."