O2: Sharing your mobile number with every website you visit

25 January 2012

Bitterwallet - O2 featuredHello there reader. Guess what? If you happen to be reading this frankly brilliant article on your O2 mobile phone, you'll be thrilled to bursting point to learn that O2 have already sent us your mobile phone number within the HTTP headers which normally contain information about how content can be displayed on your device.

Alas, these headers aren't usually seen by users and don't tend to be logged by sites, however, this clanger of a flaw will absolutely allow malicious sites to get some of that lovely personal information of yours.

How bad is this? Well, should you open an email on your O2 phone, and say, read a message which includes external images, simply opening the mail would divulge your phone number. Of course, that could then be used in a phishing attack or some other lousy scam.

This was uncovered by @lewispeckover and the problem is still affecting many smartphones. If you're a user of an O2 phone and want to check if you're being affected, then visit Lewis Peckover's website to find out more.

We strongly suspect a lot of ranting and swearing from the Twitter community over this.

EDIT: As of 2pm today (25th January), this 'glitch' has been fixed. In a blog post, O2 say that it has been going on since 10th January.

TOPICS:   Technology   Mobile   Scams


  • Rob L.
    As it's O2, it also happens on GiffGaff too...
  • Sandy M.
    ...and also Tesco Mobile, just checked. Maybe explains all those "have you had an accident in the last 3 years...." texts I keep getting
  • Mienaikage
    If you're worried about it might as well try using Opera Mini/Mobile for the time being.
  • The B.
    I'm going to pass this over to the office of the information commissioner so it can ignored studiously by the highest legal data practitioner in the land as per usual.
  • Daniel
    Confirmed on GiffGaff
  • Ollie
    Explains why I've been getting texts about insurance claims etc., as well as some 0800 number ringing me 3 times a week.
  • Rob L.
    The next question is which sites, if any, have known about this and been using it?
  • Passing M.
    I work for a differnt telco, but you can be sure they all do this.. As your data passes through the GPRS core network your subscriber number is attached to the header, mostly it is used for billing purposes, but also fault finding, performance, and the like. The difference is that normally prior to your data exiting the GPRS core network it should strip that information out of the header. I would suspect that what's happened here is some sort of problem where that process is not happening, It is more than likely by 'accident' than 'design'...
  • Martin
    My GiffGaff number doesn't show up. Possibly something to do with the custom Android ROM I'm using.
  • Sicknote
    A combination of adding customer user-agent and the X-MSISDN header manipulation within Firefox and you can make your PC pretend to be anyone or any mobile. How do you think we test websites at Vodafone; with handsets......oh no we don't..
  • Carl
    Looking at the twitter feed of the guy who created the page, it looks like O2 may have switched this off, or corrected the issue now.
  • Gavin
    It seems that Blackberry devices are not affected as the websites are channelled through RIM's servers first.

What do you think?

Connect with Facebook, Twitter, or just enter your email to sign in and comment.

Your comment