Is your smartphone telling every website you visit your telephone number?

Filed Under: Featured, Mobile, Privacy, Spam

O2 mobile users in the UK are venting on Twitter today, fuming at their discovery that their phone number is being shared with every website that they visit over the network.

O2 customer tweets

I found a colleague who owns an iPhone on the O2 network, and we tried it out for ourselves. Making sure we turned off his WiFi connection, we used the O2 mobile network to access the web.

Phone number revealed

Sure enough, his mobile number was being secretly communicated to websites he visited, embedded inside an http header called HTTP_X_UP_CALLING_LINE_ID.

Closeup of phone number

O2's response so far is to tell concerned Twitter users that it is investigating the issue.

Well, maybe I can be of some assistance. Because, although the problem is getting a lot of people's attention today, it's actually been known about for almost two years at least.

Back in March 2010, Berlin student Collin Mulliner revealed his discovery at the CanSecWest conference in Vancouver and presented a paper on the topic entitled "Privacy Leaks in Mobile Phone Internet Access".

My colleague Chet Wisniewski discussed Mulliner's research at the time and it was also reported in the technology press.

It's hard to understand why a mobile phone network operator would think it is necessary to transmit their customers' mobile phone numbers to the website they visit. My guess is that it's more likely to be a cock-up than malice which caused this data to be leaked - but what's worse is that the problem is still present almost two years after it was first discovered.

It's certainly easy to imagine how the information could be abused - for instance, if your mobile phone number is scooped up, it could then be used to SMS text spam you.

Occasional Naked Security contributor Terence Eden has made a video demonstrating the problem:

So, the big question is are other mobile networks - including those in other countries - also doing this?

If you want to know if your smartphone is revealing your phone number when you browse websites, you can test for yourself by visiting this demo page by Collin Mulliner: www.mulliner.org/pc.cgi

If it comes up green, you're all clear. But if you see red, well.. maybe you'll be seeing red with your mobile phone operator too.

(Remember, you have to turn off WiFi before you test. That way, your phone is forced to use your mobile phone network for the connection.)

Update: O2 says that the problem is now fixed and has published an explanation of what went wrong.

, , , , ,

You might like

57 Responses to Is your smartphone telling every website you visit your telephone number?

  1. Matt · 951 days ago

    Doesn't look like Vodafone are affected - or at least, my SE Xperia Arc passes the test

    • neuro · 950 days ago

      @Matt, it's not a handset issue, it's an operator issue. O2, and not the phone itself, are modifying the request headers sent when your mobile browser requests a webpage, and inserting your number. This looks like a transparent proxy configuration set to a debug mode, but it still begs the point as to why it has been left on for all this time.

  2. Paul · 951 days ago

    From what I remember, every Iphone carrier must have an Apple box that all itraffic is sent through. This is where the UP_CALLING_LINE_ID is usually dumped, so Apple can see usage data. (Always been the case, read the small print).
    My guess is 02, in there hurry to get Apple onboard never felt the need to close this and happily send all that data out unaware.

    • gkdotm · 950 days ago

      What bollox. There's nothing like that in the small print.
      Plus O2 is doing this for all phones (and even dongles), not just the iPhone.

      Other carriers don't have this issue.

  3. PippaS · 951 days ago

    Another vote for Vodafone being clear (on a Samsung Galaxy S2)

  4. My Nokia E6 on vodafone uk is not affected. Looks like vodafone has patched this hole

  5. Nicola · 950 days ago

    My Blackberry on O2 passes the test.

  6. Malin · 950 days ago

    I've got a galaxy s2 with 02 but doesn't seem to be affected when I try out the test website.

  7. Looks like it affects all o2's virtual network like tesco and giffgaff etc o2 have commented on there own forum confirming the investigation and there twitter feed is swamped

  8. Johnboy · 950 days ago

    just tested on O2 using Android & Opera mini and it is not displaying any number, however the default android browser is passing it :o

    • Dunhamzzz · 950 days ago

      Opera uses it's own proxy, that's the reason you got Opera Mini right?!

  9. Here's a discussion on the Nokia dev forum from 2004 on finding mobile numbers in HTTP headers: http://www.developer.nokia.com/Community/Discussi... - this is clearly not a new issue. Bad luck O2 for being the chumps to fall foul of it the day Twitter had nothing better to do.

    • Andy · 950 days ago

      Twitter had nothing better to do. Oh we'll remember that when we get scammed/spammed because O2 were too lax/stupid to close the gap. Granted it's not as important as world hunger or the latest celebrity to lose their knickers, but some of us do care.

  10. RDanny · 950 days ago

    I just did the test through mulliner as you suggested and my screen came up green.
    I'm with T-Mobile NL,

  11. All clear with iPhone 4S and AT&T (USA).

  12. David Pottage · 950 days ago

    I used to work in the mobile website industry, and it is a standard feature of most mobile networks, but usualy only if the webiste signs an agreement with the network. Sometimes other information is also avalable such as the user's location, what sort of contract they are on, and if they have proved they are old enough to view pornography.

    The mobile website wants the costomer phone number so that they can track individual users through their site, and recognise them when they return. This is sometimes done just for statistics and adverts, but mostly it is done to create user accounts for subscriptions or paid for content. Phone numbers are prefered over cookes for this becuase many older phones don't support cookes, or will delete them frequently, and also because phone numbers are hard to spoof or change, and and can be traced back to an individual user in case of fraud or abuse. It is also used for reverse SMS billing on some sites. (This is where you pay for content by receving one or more premium rate text messages).

    What generaly happens is that a mobile website will request certain information be passed along from the mobile network, and will offer to share revenue in return. If the network agrees, then the IP address of the web server in question will be added to a white list at the network and the information will be supplied.

    Different networks have different rules on what will be supplied under what curcumstances. For example I did some work with Teliasonera in Finland, and they would only supply one of the mobile number or the users location, but not both, and if a web page contained adult materal you had to set a number of headers to indicate what type (from their list of categories) and they would block it from the user at their end if necessary.

    I suspect what has happend in the case of O2 is that something has broken in their systems, so they are passing along phone numbers in the http headers to all websites when they should not. I doubt they would want to do that by default as it is a usefull for them to take a cut from mobile website revenues.

  13. I'm with o2 and mine turned red - and so have I - am NOT impressed at all and I hope they sort this put or I will be changing network!

  14. Bruce · 950 days ago

    Orange is fine - just checked. O2 twitter guy earning his $$$ today!

  15. Michael · 950 days ago

    My BB Torch (I'm with O2) came back green, would've been annoyed if not!

  16. Phil · 950 days ago

    I'm ok here with Talkmobile (virtual over Vodaphone). Useful test page though - the build in Android browser leaks my exact phone make, whereas Opera mobile doesn't.

    And couldn't you have included a QR code for the URL, save us all typing it in?

    • I made the link clickable! No need for a QR code. :)

      • Andy · 950 days ago

        not so helpful if you're reading from your laptop, and of course I can't visit from my phone otherwise you might take my phone number and call me ;) (kidding)

        • Fred · 950 days ago

          So send an email to your phone and click on the link, I did works just fine.
          Motorola Droid X - Verizon US - GREEN

    • the JoshMeister · 950 days ago

      Here, Phil, let me Google that for you...
      http://goo.gl/266Y3

      Click that on your computer and you'll get the QR code for http://www.mulliner.org/pc.cgi which you can scan using your phone.

      For future reference, you can make anything into a QR code using the lengthy URL that the goo.gl link redirects to; just replace =http://www.mulliner.org/pc.cgi at the end with =whateverURLyouwanttomakeintoaQRcode

      You're welcome. =)

  17. GiffGaff customer here (They use 02's network) on a new Nokia Lumia 800, just ran the test and it's clean.

  18. Ceridwen · 950 days ago

    AT&T, South Carolina, US, comes up green.

  19. vetlet · 950 days ago

    Neither my default browser nor FF for android are revealing my number. I'm on O2?

  20. Your smartphone isnt the issue here, the O2 NETWORK is appending the data as your web request travels out to the internet.

    Changing your APN settings to the below seems to take a different route through the operator network (or just applies different policies on the gateway) and prevents the header being appended;

    APN: mobile.o2.co.uk

    Username: bypass

    Password: password

    • That doesn't work for me *every* time. Forcing a network reconnect using the above settings results in number being reported while, after another reconnect, doesn't. The results are annoyingly random for me at least!

  21. Jeff · 950 days ago

    Verizon wireless seems unaffected :-)

  22. If you reconnect to O2 often enough (e.g. toggle flight mode) you end up getting a route that doesn't report your number... until your device reconnects without you noticing of course.

  23. peelins · 950 days ago

    so, how do you change your iPhone settings to NOT reveal your cell number?

  24. Jay · 950 days ago

    My o2 Blackberry on the default browser passed the test - green light.

  25. IanE17 · 950 days ago

    Vodafone Blackberry is all okay, came back green

  26. Entegy · 950 days ago

    Rogers Canada on Windows Phone 7.5 here. Thankfully no phone number being transmitted.

    This is such a huge breach of privacy.

  27. Dave B · 950 days ago

    We just tested a Blackberry and a HTC Snap on Mobilicity (Toronto, ON, Canada) and neither transmits the phone number using Internet Exploder or Blackberry Browser.

  28. Ian · 950 days ago

    Orange and T Mobile on an HTC Desire are green as grass. Unlike O2 who should be red in the face. Twats.

  29. rebecca acklam · 950 days ago

    My BB curve on O2 UK is absolutely fine. I use both the phones built in browser and opera mini, both returned green. Although I would have been pretty peeved if I had discovered otherwise, the reason I use opera is because it is proxy based so it circumvents O2's ridiculous age control policy (I'm 21 by the way). Although the age limit is set at 18 for obvious reasons I get fed up of asking them to remove it and then it coming back after a few months. But that's a whole different issue....

  30. graham · 950 days ago

    With companies like O2 who needs hackers?
    I just tested my phone (HTC Desire S) tethered to my PC on the Three(3) network using the mulliner.org test and it was not passing the telephone number.
    However, it is interesting that when I connect to the Three website and look for my account information the site knows what sim card (and phone number) I am using and directs me to my account without me having to type it in. So I assume that identifying info is being sent, perhaps there is more info embeded in the data. It is possible that the IP address is associated with the account in the Three network so that it can obviously track usage for billing or blocking (under 18's). I wonder if this info might also be interogated by any website you access? I am sure hackers out there will be able to tell us.

  31. BryanB · 950 days ago

    I suspect it is both the smartphone AND the network, in this case iPhone on O2-UK. My HTC Desire doesn't pass my number whether it's on O2(Giffgaff) or Orange - I tried both SIMs.

    Or has anyone seen O2 passing over their number on any other handset?

    I'm waiting for someone to take an iPhone that shows red when tested on O2 and try it on a different network. (Yes, it'll have to be unlocked!)

  32. Lewis Taylor · 950 days ago

    I'm on 3 Mobile UK with the iPhone4 and came back green, no leaks or problems... Think I'd be quite upset of I were a O2 customer. It's not easy to block spam messages and even more hassle changing your number!

  33. Sanah · 950 days ago

    My o2 is fine, checked from my Blackberry 9300.

  34. SmartGuy · 950 days ago

    On O2 UK, my BlackBerry comes up green. I suspect that all BlackBerry/RIM devices will be OK as they use different (their own?) gateways and therefore don't include that header information. Good news for BlackBerry .... makes a change !

  35. carol · 950 days ago

    iPhone 3Gs and AT&T in the U.S. is fine.

  36. Varttaanen · 950 days ago

    Vodafone NL on a HTC Desire returned green.

  37. David · 950 days ago

    I just tested my iPhone 3G on O2 & it was fine.

  38. Cheryl · 950 days ago

    Vodafone Au on GS2 is green. Tried 2 browsers.

  39. Jazzcica · 950 days ago

    Vodafone Hungary is green :-)

  40. Saad · 950 days ago

    Here in Pakistan with Telenor, it turned RED along with my phone number,,, wtf!!! Time to talk to my network operator :/

  41. Hannah · 950 days ago

    The Three network in the UK is a-ok, I came up green.

  42. rkukmedia · 948 days ago

    I can confirm that Vodafone UK is also not effected by this, made even clearer by a "No Obvious Problems Detected" at the top of the page. On Windows Phone Nokia Lumia 800.

  43. My Sony Ericsson K800i passed the test. I'm on T-Mobile UK. BTW, I thought O2 fixed this already?

  44. Lumia boy · 943 days ago

    No problems here with T-mobile Nokia Lumia 800

  45. Bearly · 166 days ago

    AT&T legal terms in the US states it outright: "Caller ID blocking is not available when using Data Services, and your wireless number is transmitted to Internet sites you visit."

  46. Max · 53 days ago

    T-mobile Failed miserably!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.