Why? Because at the very least it allows any website operator to capture your telephone number and potentially use it to send you spam texts or marketing calls.
UPDATE 25-Jan 13:29: Twitter user @alanbell_libsol reports the problem as fixed and I can confirm it's fixed for me too.
The problem
We have confirmed that UK mobile phone network O2 sends your mobile phone number to each website you visit.
The O2 problem was reportedly spotted by @lewispeckover and has been a known issue in the security industry for 2 years, see Collin Mulliner's 2010 CanSecWest talk.
We know the issue also affects at least one operator using the O2 network, GiffGaff.
We have also confirmed the phone number is sent even if you connect your computer or tablet to the internet via your phone, ie tethering. This strongly indicates the phone number is being injected at some point in O2's network.
Personal data?
What can someone do with your mobile phone number? On its own, not a lot. They can call you out of the blue, or send you junk texts.
But think how many websites you visit know quite a lot about you, such as your real name, your address, your hobbies, likes and interests? I choose not to disclose my phone numbers to social networking sites because I don't want to be contacted by strangers by phone selling me things I might be interested in.
Maybe you trust Google or Facebook. But what about the advertisers and marketing companies who send adverts to your phone or web browser? They will also receive your phone number, plus they also know a quite a lot of information about you.
And that's without considering the less ethical operators like spammers and cyber crooks. All anyone needs to do is direct you to a website to capture your mobile phone number.
Let's say this website tricks you into divulging your name under the guise of being some official website, e.g. a retail shop you've ordered from before, or your bank. The attacker can then call you directly to ask you some "security questions".
In my personal opinion this is a very serious issue. Not only should O2 fix the problem as soon as possible, they must also look into the decision making which lead to such a serious breach of trust occurring.
How easy is it to capture my phone number? Am I affected?
It's so trivial for website operators to gather the information I created an application myself in less than 30 minutes.
You can test your own connection by visiting our test tool showmyheaders.opendigital.org
Privacy note: the site does not store your full phone number, but limited information like the time you visit is and whether a phone number was detected are recorded to chart how widespread the problem is. Our data management partners, Dalton Firth Limited, never share stored data and are registered with the Information Commissioner to perform data research.
Related issues
Screen grab of O2 injecting a JavaScript link during a visit to our own wbesite |
30 minutes? I can't believe it took you that long! ;)
ReplyDeletehi, thanks for this. I have created a thread on the GiffGaff forums for this, existing GiffGaffers might like to comment at
ReplyDeletehttp://community.giffgaff.com/t5/Learn-giffgaff-Top-Tips/is-your-phone-no-given-away-when-you-surf/td-p/2854307
where I post as trueriver
best regards,
River~~
Prizes for deciphering what the javascript is doing?
ReplyDeleteOMG, somebody so smth. How can we kick up more of a fuss about this so the guys at O2 do smth to fix it?
ReplyDelete