O2 apparently sends your phone number to every website you visit on your phone

UK operator O2 woke up to a public relations disaster this morning. Apparently using their network to browse the web results in your phone number being transmitted to any website you happen to visit. Yes, you read that right. Take you iPhone out of your pocket, visit Joe Blow’s Awesome Mobile Blog, and Joe now knows your phone number. The story was first reported on The Next Web with the assistance of Lewis Peckover, who actually discovered the problem in the first place and created a website so people could see that he isn’t just making this stuff up. The result? Boy oh boy is the internet going wild. People are harassing O2 on Twitter about this issue with a ridiculous sense of urgency, as if they’re not the same folks who have no qualms giving Facebook every last bit of their personal information. Anyway, while O2 looks to correct this absolute fuck up, there’s a temporary solution for the tin foil hat wearing crowd. Set you access point to mobile.o2.co.uk, use the username “bypass”, the password “password”, and you’re done.

The bigger issue here is why are people so freaked out about this? So O2 messed up, it’s not like they were intentionally trying to put your number out into the ether. Someone who was configuring the network accidentally checked a check box he wasn’t supposed to check and that’s all there is to it. Can a website see your text messages? No. Can they see your contact list? No. Can they see the naughty photos you take of yourself and send to your significant other? Nope. One might argue that because a website can see your phone number they can now hack into your voice mail, but come on, do any of you guys use voicemail? If so, haven’t you already changed your password after the whole News of the World scandal?

All in all, this story is perfect for a slow news day like today.

[Via: Mobile Industry Review]

Update: O2 has fixed this issue and posted an FAQ on their blog about what happened.

  • Ivan

    As a mobile developer, I believe someone DID intentionally try to put numbers out in the ether. HTTP headers aren’t usually stuff of checkboxes, it’s more like “someone accidentally changed 12 parameters in 2 config files”.

    However, sometimes I would love to get that info for websites I develop… But then I remember people value their privacy.

    • I love a good conspiracy theory but no, this was clearly unintentional.

      Fact is, all mobile carriers add some of the customer’s ‘private’ info into the header. And there are many practical reasons for doing so, like 3rd-party billing and age-verification. But to your carrier the most important of these is the lucrative kind: info-sharing contracts with outside firms…like, say, the folks who pay them for advertising space or other promotional consideration.

      Of course, mobile operators can’t ignore privacy laws or the implied threat of governmental intervention. So, after some of that embedded info must be redacted, even if only because the receiving party hasn’t paid for it. This is done via a complicated filtering system composed of routers…and that’s likely what went wrong, here. Some poor jerk misconfigured a router.

      Thus, O2’s apologetic press release where they acknowledge error but claim to have followed ‘industry standards’.

Back to top ▴