on 24-01-2012 21:34 - last edited on 25-01-2012 13:07 by craig_t
Not sure if this has already been raised I couldn't see it. But our phone numbers are being sent in the header to all websites. Which is a massive security breech in my opinion(ok over reaction, but I don't really want any Tom, **bleep** or Harry getting my phone number). And it's needless. Seems to Be something O2 has done rather than GiffGaff? You can check here to see what is included in the header http://lew.io/headers.php Anyone know anything more on this or a reason, other networks don't include it in the header, any chance of giffgaff looking into this and trying to get O2 to stop what ever it's doing.
giffgaff staff edit - 25/01 -12:54
We've locked this thread for the time being - not to stop discussion, but because we'd like to update everyone in one place on this.
Please keep an eye on this thread here.
on 25-01-2012 03:40
Just saw this website via Twitter, tested it and sure enough my phone number is being sent to every website that I visit.
For people that aren't familiar with HTTP headers: when you visit a web page, the device that you're using sends some important information which defines the request and receiving of the web page. The headers sent usually include things like what character sets and encoding your device supports, what browser it is running, and so on.
For example, the headers that my computer sends when requesting a web page are as follows:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Browsers can send any HTTP header that they like though, and certain companies use non-standard headers, which usually start with the letter X to signify this. The most common non-standard header is "X-Forwarded-For", which is often used when you're using a proxy and it forwards your request. The "X-Forwarded-For" header will be followed by the IP address of the original device that requested the page.
Yesterday, it was discovered that O2 - and subsequently giffgaff - include a non-standard header in all of your requests to websites. This header is added by their proxy (in addition to the X-Forwarded-For header). The header name is "x-up-calling-line-id" and O2 appear to be the only ones using this title, but evidence could emerge in the future to show otherwise.
The headers that my phone sends to request a web page follow:
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; en-gb; Nexus S Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Language: en-GB, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
In the examples in this post, I have replaced the last three digits of my IP addresses and phone number in order to protect my devices!
To be clear, each time you request a web page on your phone, your phone number is sent to the server. This is an extremely important issue: HTTP headers are often logged by servers (and logs are kept for a long time), and it would be trivial for a server administrator to extract a list of phone numbers from the logs.
If you're still not seeing the security implications, about 99% of people sending their number to every web page are on O2, so someone could easily extract a list of numbers and call them pretending to be O2. They might get caught out by a few giffgaff users and Tesco Mobile users (who I assume are also affected).
Another scenario: you visit the website of a company that offers laser eye surgery (for example). That company now have your phone number, and could easily bombard you with calls trying to sell you their services.
Finally: you might find these scenarios unlikely, but now that this problem is out in the open, word will spread. That's not to say that criminals and shady companies weren't already aware of it though.
on 25-01-2012 05:12
Also, I'd just like to add that telephone numbers are classified as personally identifiable information under the Data Protection Act, which states:
"A person must not knowingly or recklessly, without the consent of the data controller (a) obtain or disclose personal data or the information contained in personal data, or (b) procure the disclosure to another person of the information contained in personal data."
I'd say that what is happening here pretty firmly counts as recklessly disclosing personal data. Not blaming giffgaff, as it is obviously O2 that are at fault here, but trying to make it clear that this needs to be fixed immediately.