# O2 sending your mobile number to every site you visit on 3G



## FridgeMagnet (Jan 25, 2012)

This has been going around the net just now - http://www.theverge.com/mobile/2012/1/25/2731903/o2-sharing-phone-numbers-website-traffic


> British cellphone carrier O2 appears to be sending customers' cellphone numbers in HTTP header traffic, inserting the info in data sent to websites over O2's connection. Lewis Peckover discovered the problem this week and setup a website to document it. The site allows O2 users in the UK to check to see whether their number is being sent along with HTTP traffic. We have confirmed the issue on two O2 numbers in the UK, and our testing with other networks indicates it is isolated to O2. Orange, Three and Vodafone were unaffected in our tests.



You can test this at the site http://lew.io/headers.php - I tried, and my iPhone is definitely sending my number when I use 3G, just as a plain text header. Apparently this may also affect anyone else who uses the O2 network e.g. Tesco.


----------



## ChrisFilter (Jan 25, 2012)

It's doing it for me.

Cheeky fuckers. That's outrageous.


----------



## joustmaster (Jan 25, 2012)

yes on giffgaff (o2)


----------



## TitanSound (Jan 25, 2012)

Not mine. Maybe because it's a linux OS?


----------



## joustmaster (Jan 25, 2012)

TitanSound said:


> Not mine. Maybe because it's a linux OS?


have you got your wifi on


----------



## FridgeMagnet (Jan 25, 2012)

TitanSound said:


> Not mine. Maybe because it's a linux OS?


No, that wouldn't make a difference - it's inserted at the network level, after the request leaves the device. I have heard a few people say they aren't affected though.


----------



## FridgeMagnet (Jan 25, 2012)

joustmaster said:


> have you got your wifi on


There is also that possibility


----------



## TitanSound (Jan 25, 2012)

joustmaster said:


> have you got your wifi on



Nope 



FridgeMagnet said:


> No, that wouldn't make a difference - it's inserted at the network level, after the request leaves the device. I have heard a few people say they aren't affected though.



Hmm...strange then, what would be their justification for doing it the first place I wonder?


----------



## bi0boy (Jan 25, 2012)

TitanSound said:


> Hmm...strange then, what would be their justification for doing it the first place I wonder?



Laziness it seems.


----------



## FridgeMagnet (Jan 25, 2012)

TitanSound said:


> Hmm...strange then, what would be their justification for doing it the first place I wonder?


Somebody I know said it's likely to track customer data usage. But obviously, you make sure that's not identifiable whenever it goes outside of your system. If you didn't just hand the project to the neighbour's kid who's good with computers, that is.


----------



## FridgeMagnet (Jan 25, 2012)

Sophos article saying this is a known general issue: http://nakedsecurity.sophos.com/2012/01/25/smartphone-website-telephone-number/

They link to another page which apparently acts as a more general checker, for other networks too: http://www.mulliner.org/pc.cgi


----------



## editor (Jan 25, 2012)

We're going to need a bigger facepalm.


----------



## Ax^ (Jan 25, 2012)

Oh well being using opera for a while


----------



## FridgeMagnet (Jan 25, 2012)

Ax^ said:


> Oh well being using opera for a while


Won't make any difference.


----------



## grit (Jan 25, 2012)

T





ChrisFilter said:


> It's doing it for me.
> 
> Cheeky fuckers. That's outrageous.



Why on earth is it outrageous, this has been done since at least 2005.


----------



## UnderAnOpenSky (Jan 25, 2012)

grit said:


> T
> 
> Why on earth is it outrageous, this has been done since at least 2005.



Because most people don't like handing out their number to all and sundry. As someone who makes a point of giving fake data to websites as often as I can get away with, I'd be proper fucked off.


----------



## FridgeMagnet (Jan 25, 2012)

Should they have done it since 2005, that would just make it outrageous since 2005, not un-outrageous now.


----------



## grit (Jan 25, 2012)

Well any company seriously involved with mobile have direct binds over SMPP to the major networks and can do a LOT. So dismiss any fantasy you have of being anonymous now.


----------



## UnderAnOpenSky (Jan 25, 2012)

grit said:


> Well any company seriously involved with mobile have direct binds over SMPP to the major networks and can do a LOT. So dismiss any fantasy you have of being anonymous now.



That's a big jump between having my phone number and browsing habits in a nice marketable form.


----------



## ChrisFilter (Jan 25, 2012)

Global Stoner said:


> That's a big jump between having my phone number and browsing habits in a nice marketable form.



Indeed.


----------



## 2hats (Jan 25, 2012)

A little bird at O2 tells me that the problem is due to a gateway upgrade. Normally the number gets hashed, at the very least, if not removed. Am told technical and legal inside O2 are aware of it and since it sounds like a DPA FUBAR one would guess it will get addressed soon.


----------



## UnderAnOpenSky (Jan 25, 2012)

Would it give anyone on O2 a right to cancel their contract?


----------



## Lazy Llama (Jan 25, 2012)

No sign of that header from my iPhone on 3G with O2.


----------



## FridgeMagnet (Jan 25, 2012)

A friend said she didn't have it happening to her either, using a PAYG SIM and an iPhone.


----------



## Shippou-Sensei (Jan 25, 2012)

not on mine  zte-blade/sanfran with giffgaff


----------



## Blagsta (Jan 25, 2012)

Not on my HTC desire on o2. They do proxy though, often I get an error message from their proxy server.


----------



## FridgeMagnet (Jan 25, 2012)

It's stopped doing it for me now. They must be removing it.


----------



## 2hats (Jan 25, 2012)

Been happening for 2 weeks and supposedly fixed as of 2pm today:

http://blog.o2.co.uk/home/2012/01/o2-mobile-numbers-and-web-browsing.html


----------



## Kid_Eternity (Jan 25, 2012)

Dodgy fuckers. Glad I left them that said hope this shit isn't prevalent with other networks...


----------



## weepiper (Jan 25, 2012)

FridgeMagnet said:


> A friend said she didn't have it happening to her either, using a PAYG SIM and an iPhone.



I get red on that test site, using a PAYG sim and an Alcatel Android phone.


----------



## FridgeMagnet (Jan 25, 2012)

weepiper said:


> I get red on that test site, using a PAYG sim and an Alcatel Android phone.


You shouldn't be getting it any more, they're supposed to have turned it off!


----------



## weepiper (Jan 25, 2012)

FridgeMagnet said:


> You shouldn't be getting it any more, they're supposed to have turned it off!



oh I dunno, I got it when I was testing at lunchtime at work  on the pc now and the phone's charging


----------



## grit (Jan 26, 2012)

I've been thinking about this, has anyone come across a report that states if the site was whitelisted at o2 or not?


----------

