O2 Leaks Users' Phone Numbers to Every Website Visited

The mobile phone operator O2 is investigating a major security flaw which gives users' mobile phone numbers to every website they visit.

Twitter users Lewis Peckover created a website on January 24 after he noticed the problem and the International Business Times UK can confirm that visiting the website over the O2 network hands over the user's phone number, although this does not happen when visiting the site over W-Fi.

The site, according to creator Peckover, a 28 year old systems administrator, is "a simple script which prints out all the information I receive about you when you visit. It is logical to conclude that this same information is sent to all other websites too."

The Information Commissioner's Office (ICO) has released a statement about the issue, as reported by consumer group Which?: Keeping people's personal information secure is a fundamental principal that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website."

The ICO continued: "We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."

At the International Business Times UK we visited the site using an iPhone 4 on O2 and the user's phone number (below, number censored) was returned immediately. O2 has said: "We're investigating the reports and will update you as soon as we can."

The user's mobile phone number is shown next to "x-up-celling-line-id:."

The issue potentially means that the mobile phone numbers of users could be sent to criminals, who can then use the numbers as part of a phishing scam.The problem is also believed to affect Giff Gaff and Tesco Mobile users, as the two companies also use O2's network.

Following questions, Peckover added more information to his website, he said: "no, It's not anything client-side. O2 seem to be transparently proxying HTTP traffic and inserting this header."

Meanwhile, security blog Sophos has stated that the problem was first found almos two years ago, in March 2010, by Berlin student Collin Mulliner, who revealed his discovery at the CanSecWest conference in Vancouver and presented a paper on the topic entitled "Privacy Leaks in Mobile Phone Internet Access."

O2 users have taken to Twitter to express their anger towards O2, with some suggesting that the network provider has broken its contractual agreement with customers for accidently giving their phone numbers to websites. Others believe that this problem constitues a breach of customer privacy and that users will be able to terminate their contracts with O2 as a result.

UPDATE: We have heard from several sources that a possible workaround to stop your number from being handed out. In APN settings change your username from "o2web" to "bypass", although the International Business Times UK cannot confirm that this works.

It is not yet known if the problem is specific to one type of phone or one browser, so we ask if readers could visit the site linked above and tell us in the comments below if your phone number is returned.