In a report from think broadband, it was revealed on Wednesday that a privacy flaw in UK carrier O2’s handling of web traffic on mobile devices released phone numbers of their customers to websites. Any customer who used a 2G or 3G network from O2 to browse the internet had their phone numbers sent to the websites, embedded among the website’s coding.
If you’re reading this news article using your O2 mobile phone, you’ll be pleased to know that O2 have already sent us your mobile phone number within the HTTP headers which normally contain information about how content can be displayed on your device. These headers are not normally seen by users, and usually not logged by most websites, but the flaw allows malicious sites to get more personal information about you than you may be willing to share.
For example, if you open an e-mail which includes references to external images, the mere action of opening the e-mail would divulge your phone number. This could be used by anyone undertaking a phishing attack or other scam to get more information from you. The opportunity to abuse this is potentially endless.
The flaw was discovered by Twitter user @lewispeckover who set up a website to see what information users were releasing while visiting the website. He noted after a few hours, perhaps after O2 fixed the glitch, that the mobile number stopped appearing on the website while accessing from his O2 device.
This issue is not exclusive to the iPhone and may affect all smart phones on the network, which is the second-largest carrier in the UK. O2 was the exclusive carrier of the iPhone back in 2007 during its initial launch.
The carrier appears to have fixed the issue, however, privacy issues continue to be a concern. Although mobile phone numbers are not necessarily private to the carrier, it is a matter of concern when there is a chance it may be released to websites and to the actual public. O2 has not released any statements on the privacy issue to the press or to its customers.