An enterprising fella’ has uncovered a sneaky scheme by UK mobile phone and broadband provider O2, that gives out a users mobile number whenever they visit a website on their phone.
Those wishing to prove his claims can visit his test site here. If you go there using an O2 connected phone, without using WiFi, you should see your mobile number appear along with the other information gathered about the device being used.
The man that discovered this is Lewis Peckover, and he’s been discussing the problem on Twitter. The first one that begun talks of O2’s sneaky behaviour was: “So,
@O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?”
From there he’s been expanding on this statement, testing various aspects of the data collection. While it does appear to be limited to certain handsets of users (it’s unknown at this point why) the issue is quite varied, with many confirming that their number appears when visiting his test site. “Could well be APN-specific, but not so simple as all idevices – lots of reports of non-idevices being affected too.”
When someone asked to know how Mr Peckover discovered the security hole, he responded with: “Discovered while investigtng ways to verify a user is on a mobile device/network. Didn’t expect it to be quite so easy on.”
O2 also released a statement on its Twitter, saying: