Is your smartphone telling every website you visit your telephone number?

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

O2 mobile users in the UK are venting on Twitter today, fuming at their discovery that their phone number is being shared with every website that they visit over the network.

O2 customer tweets

I found a colleague who owns an iPhone on the O2 network, and we tried it out for ourselves. Making sure we turned off his WiFi connection, we used the O2 mobile network to access the web.

Phone number revealed

Sign up to our free newsletter.
Security news, advice, and tips.

Sure enough, his mobile number was being secretly communicated to websites he visited, embedded inside an http header called HTTP_X_UP_CALLING_LINE_ID.

Closeup of phone number

O2’s response so far is to tell concerned Twitter users that it is investigating the issue.

[tweet https://twitter.com/O2/status/162097632955744256]

Well, maybe I can be of some assistance. Because, although the problem is getting a lot of people’s attention today, it’s actually been known about for almost two years at least.

Back in March 2010, Berlin student Collin Mulliner revealed his discovery at the CanSecWest conference in Vancouver and presented a paper on the topic entitled “Privacy Leaks in Mobile Phone Internet Access”.

My colleague Chet Wisniewski discussed Mulliner’s research at the time and it was also reported in the technology press.

It’s hard to understand why a mobile phone network operator would think it is necessary to transmit their customers’ mobile phone numbers to the website they visit. My guess is that it’s more likely to be a cock-up than malice which caused this data to be leaked – but what’s worse is that the problem is still present almost two years after it was first discovered.

It’s certainly easy to imagine how the information could be abused – for instance, if your mobile phone number is scooped up, it could then be used to SMS text spam you.

Occasional Naked Security contributor Terence Eden has made a video demonstrating the problem:

[youtube https://www.youtube.com/watch?v=67b4GTI2Tto&rel=0&h=311&w=500]

So, the big question is are other mobile networks – including those in other countries – also doing this?

If you want to know if your smartphone is revealing your phone number when you browse websites, you can test for yourself by visiting this demo page by Collin Mulliner: www.mulliner.org/pc.cgi

If it comes up green, you’re all clear. But if you see red, well.. maybe you’ll be seeing red with your mobile phone operator too.

(Remember, you have to turn off WiFi before you test. That way, your phone is forced to use your mobile phone network for the connection.)

[polldaddy poll=”5875381″]

Update: O2 says that the problem is now fixed and has published an explanation of what went wrong.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.