O2 security flaw potentially lets every website access your phone number (updated: O2 react)

If you are on O2 or any MVNO that uses their network such as Giffgaff or Tesco Mobile, now is the time to be worried. It has emerged that the network is sending mobile numbers in plaintext to every website you visit as part of the header data. This could potentially allow sites to collect these numbers and do all kinds of things with them. Lewis Peckover has created a page to check for and display such information, and so far only O2 and their MVNOs have been displaying the number. Peckover says on the site:

To answer some questions and responses I’ve seen – no, it’s not anything client-side. O2 seem to be transparently proxying HTTP traffic and inserting this header. Another annoying feature of O2 is that they interfere with the responses from servers too. They downgrade all images and insert a javascript link into the HTML of each page. I’ve talked to customer service about this lovely feature several times, but they never have a clue what I’m talking about, let alone any idea how to opt out/disable it.

We don’t know why this is happening, but until O2 fully understand the problem of why this sensitive data is so easily accessible and how to solve it, be careful of any suspicious sites that may pop up. If you are not on O2 but still see your number in the header, let us know or tell Peckover on Twitter.

Update: Which? Magazine contacted the Information Commissioner’s Office, who had this to say:

Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.

Update 2: O2 have confirmed that this happened over their 3G and WAP networks due to accidental routine maintenance on January 10th. They have reported themselves to Ofcom and released this statement/Q&A.

O2 mobile numbers and web browsing

Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.

We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.

We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.

Below is a set of Q&As, to answer questions we’ve been receiving. If you have further questions, do leave them in the blog comments and we will do our best to answer as many as possible.

Q: What’s happened with O2 mobile numbers when I browse the internet on my mobile?

A: Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user’s mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not WiFi.

Q: How long has this been happening?

A: In between the 10th of January and 1400 Wednesday 25th of January, in addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners.

Q: Has it been fixed?

A: Yes. It was fixed as of 1400 on Wednesday 25th January 2012.

Q: Which of my information can website owners access?

A: The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers.

Q: Why did this happen?

A: Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.

Q: Which customers were affected?

A: It affected customers accessing the internet via their mobile phone on 3G or WAP services, but not WiFi, between 10th of January and 1400 on Wednesday the 25th of January.

Q: Which websites do you normally share my mobile number with?

A: Only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2’s own services, have access to these mobile numbers.

Q: The Information Commissioner said he is investigating – what are you doing as part of this?

A: We are in contact with the Information Commissioner’s Office, and we will be co-operating fully. We have also contacted Ofcom.

Advertisements