14 DAY TRIAL // Mobile phone carrier O2 UK has been found to send users’ mobile numbers to all of the websites they are visiting on their handsets. There are millions of users on O2’s mobile network, and all of their numbers are delivered to web sites when they access the web from their mobile devices.
Lewis Peckover, who discovered the issue, came up with a special web page to verify it, and discovered that an “x-up-calling-line-id” line of info appears when the page is accessed from a mobile phone on O2’s network.
The x-up-calling-line-id part is followed by the user’s phone number, and all those O2 mobile users who access the page from their devices can check it, it seems (they should make sure the connection is made via O2’s broadband and that they do not use a proxying browser, like Opera Mini).
Most of the data that is listed there is expected to be available, including the Host, User Agent, Referrer and Encoding. However, the mobile phone number should not be exposed as such, Lewis Peckover notes.
“If you're on O2's UK mobile network (not ADSL), you'll (probably) see a line beginning with x-up-calling-line-id - followed by your mobile phone number in plain text. Other operators may use different headers, or hopefully none at all,” he notes on the said page.
“To answer some questions and responses I've seen - no, it's not anything client-side. O2 seem to be transparently proxying HTTP traffic and inserting this header,” he also explains. Moreover, he notes that O2 is also interfering with the responses from servers.
“They downgrade all images and insert a javascript link into the HTML of each page. I've talked to customer service about this lovely feature several times, but they never have a clue what I'm talking about, let alone any idea how to opt out/disable it.”
It has been also confirmed that other wireless carriers in the country, such as Orange, T-Mobile and Vodafone, do not send users’ mobile numbers in header information.
Apparently, O2 took notice of the issue and plans on investigating it.