Phone number being sent in header to websites?

acidhell2 · 05-09-2011

Not sure if this has already been raised I couldn't see it. But our phone numbers are being sent in the header to all websites. Which is a massive security breech in my opinion(ok over reaction, but I don't really want any Tom, **bleep** or Harry getting my phone number). And it's needless. Seems to Be something O2 has done rather than GiffGaff? You can check here to see what is included in the header http://lew.io/headers.php Anyone know anything more on this or a reason, other networks don't include it in the header, any chance of giffgaff looking into this and trying to get O2 to stop what ever it's doing.

giffgaff staff edit - 25/01 -12:54

Good afternoon,

We've locked this thread for the time being - not to stop discussion, but because we'd like to update everyone in one place on this.

Please keep an eye on this thread here.

Kind regards,

--craig

wman2 · 13-10-2010

Wow you're right! I never knew that! that is a massive security breach, something should be done ASAP.

For a free giffgaff SIM or Micro-SIM with £5 free credit, click here.

tharwa · 10-08-2011

Definitely something should b done...thanks

idrisdragon · 11-06-2011

doesn't show my number

idrisdragon · 11-06-2011

actually, my phone can't read my number to display it in itself anyway as it's not on the SIM.

ari_morris · 17-05-2011

what do you mean in header??!?!?? which header?!??!

If this was the answer you were looking for please press ‘Accept as Solution!!

idrisdragon · 11-06-2011

I'm going to have to learn how thisis done. Got a fantastic idea for it.

j_lowey · 05-09-2010

Just saw this website via Twitter, tested it and sure enough my phone number is being sent to every website that I visit.

For people that aren't familiar with HTTP headers: when you visit a web page, the device that you're using sends some important information which defines the request and receiving of the web page. The headers sent usually include things like what character sets and encoding your device supports, what browser it is running, and so on.

For example, the headers that my computer sends when requesting a web page are as follows:

Host: lew.io
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
X-Forwarded-For: 188.223.231.XXX

Browsers can send any HTTP header that they like though, and certain companies use non-standard headers, which usually start with the letter X to signify this. The most common non-standard header is "X-Forwarded-For", which is often used when you're using a proxy and it forwards your request. The "X-Forwarded-For" header will be followed by the IP address of the original device that requested the page.

Yesterday, it was discovered that O2 - and subsequently giffgaff - include a non-standard header in all of your requests to websites. This header is added by their proxy (in addition to the X-Forwarded-For header). The header name is "x-up-calling-line-id" and O2 appear to be the only ones using this title, but evidence could emerge in the future to show otherwise.

The headers that my phone sends to request a web page follow:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; en-gb; Nexus S Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Accept-Encoding: gzip,deflate

Accept-Language: en-GB, en-US

Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

x-up-calling-line-id: 447949425XXX

Host: lew.io

X-Forwarded-For: 82.132.248.XXX

In the examples in this post, I have replaced the last three digits of my IP addresses and phone number in order to protect my devices!

To be clear, each time you request a web page on your phone, your phone number is sent to the server. This is an extremely important issue: HTTP headers are often logged by servers (and logs are kept for a long time), and it would be trivial for a server administrator to extract a list of phone numbers from the logs.

If you're still not seeing the security implications, about 99% of people sending their number to every web page are on O2, so someone could easily extract a list of numbers and call them pretending to be O2. They might get caught out by a few giffgaff users and Tesco Mobile users (who I assume are also affected).

Another scenario: you visit the website of a company that offers laser eye surgery (for example). That company now have your phone number, and could easily bombard you with calls trying to sell you their services.

Finally: you might find these scenarios unlikely, but now that this problem is out in the open, word will spread. That's not to say that criminals and shady companies weren't already aware of it though.

j_lowey · 05-09-2010

Also, I'd just like to add that telephone numbers are classified as personally identifiable information under the Data Protection Act, which states:

"A person must not knowingly or recklessly, without the consent of the data controller (a) obtain or disclose personal data or the information contained in personal data, or (b) procure the disclosure to another person of the information contained in personal data."

I'd say that what is happening here pretty firmly counts as recklessly disclosing personal data. Not blaming giffgaff, as it is obviously O2 that are at fault here, but trying to make it clear that this needs to be fixed immediately.