MOBILE OPERATOR O2 is being accused of sending mobile phone numbers to every web site visited on its network.
It has come to light that O2 is including full phone numbers in plain text in the HTTP headers that get sent when a user visits a web site. There is nothing stopping the owners of the web site from collecting your phone numbers from these headers.
Lewis Peckover posted about the issue and said, "If you're on O2's UK mobile network (not ADSL), you'll (probably) see a line beginning with x-up-calling-line-id - followed by your mobile phone number in plain text."
We contacted O2, which told us it's investigating the problem. It is frantically replying to people on Twitter with a message like this:
@paulwalk We're investigating this with our internal teams, and will come back with more as soon as possible— O2 in the UK (@O2) January 25, 2012
Of course not all web site owners will use this information but in the wrong hands it could easily be used to cause O2 customers some problems. It's unclear whether it's just O2 doing this or other networks as well.
Peckover added, "To answer some questions and responses I've seen - no, it's not anything client-side. O2 seem to be transparently proxying HTTP traffic and inserting this header."
We've tested the issue and found no problem with other networks including Orange, Vodafone, and T-Mobile. You can test it out for yourself by visiting www.mulliner.org/pc.cgi from your mobile phone with WiFi switched off. If the page is green then you're ok but if it's red then your details are being sent though in the HTTP header.
Peckover has tweeted:
Looks like @O2 may have just resolved the issue. It has stopped showing my number. Anyone still seeing it?— Lewis Peckover (@lewispeckover) January 25, 2012
We have tried the test out on three separate O2 handsets and got the green page saying "no obvious problem found." O2 is yet to comment and is still telling people on Twitter that it's looking into it. µ