Welcome to Esato.com

O2 leaking user numbers to websites

Click to view updated thread with images

Posted by adsada
O2 could be in really hot water here: it seems user's numbers are being leaked to possibly any website that requests them.

Twitter user @lewispeckover picked up the problem and created a simple website that returns the information any website could poll from a user.

The site clearly shows that the x-up-calling-line-id header (which request the user phone number) is in full force when accessing the site via a mobile phone - but apparently only O2 is actually sending out the information.
All and sundry

This means that, feasibly, any website could be given access to user numbers when browsed on an O2 mobile, which leads to all kinds of questions over data protection and privacy.

It's not good news for O2's partners either - it seems that GiffGaff and Tesco, which piggyback on the O2 network, are offering up the information freely as well, which is never going to go down well.

It's a tricky question over whether this is a real problem for users or if it's just a small loophole that's been exposed; there is some evidence that the information sending is intermittent and could be something as simple as an O2 proxy server gone awry.
Phishing for problems

That doesn't forgive the fact that such a thing is possible at all - if O2 does have a list of sites that it allows to curry this information, then users will want to know about this as well, plus raises the issue of how easily an email phishing scam could attract mobile number data with a relatively simple campaign.

In all our tests with multiple handsets and O2 accounts the number was indeed sent, which seems to prove that the problem is current and still live - although we're sure O2 is looking to shut down the issue as fast as it can whip its engineers.

TechRadar has spoken to O2 about the issue, and have unsurprisingly been told that the issue is being 'investigated as a top priority' - we'll let you know when we hear anything more.

via TR

Posted by Bonovox
O2 have always have poor security

Posted by masseur
what other examples of poor security are there with O2?

Posted by Bonovox
In the past there has been many security breaches and even customer details once being viewed on their website through their O2 online billing. I have read of many poor security problems with them over the years but not typing them all out.

Posted by masseur
ah yes, I do remember that one now you mention it.

too many companies are slack about online security if you ask me, if the likes of Sony and other big names.

Posted by Bonovox
I was also not happy with O2 with their somehow poor security with numbers too. Back in 2008 when I had a crazy woman texting me I asked O2 to change my number which they did. But when it was changed on the same sim card somehow she found the new number How?? She never knew anyone else that I knew. I had to completely close it down get a new sim & number again. After that all was ok. I have no idea if it were O2 poor security or not though. Maybe somehow she logged into my online account?? She even managed to text ME on MY number. Work that out

Posted by Rookwise
Apparently this issue was fixed as of 2pm today according to Giffgaff and also O2's blog.

Posted by Bonovox
Heard on radio O2 said sorry and that it's fixed now

Click to view updated thread with images

© Esato.com - From the Esato mobile phone discussion forum