O2 leaking user numbers to websites
25th Jan 2012 | 10:31
Network accused of huge data privacy breach
O2 could be in really hot water here: it seems users' numbers are being leaked to possibly any website that requests them.
The site clearly shows that the x-up-calling-line-id header (which request the user phone number) is in full force when accessing the site via a mobile phone - but apparently only O2 is actually sending out the information.
All and sundry
This means that, feasibly, any website could be given access to user numbers when browsed on an O2 mobile, which leads to all kinds of questions over data protection and privacy.
It's not good news for O2's partners either - it seems that GiffGaff and Tesco, which piggyback on the O2 network, are offering up the information freely as well, which is never going to go down well.
It's a tricky question over whether this is a real problem for users or if it's just a small loophole that's been exposed; there is some evidence that the information sending is intermittent and could be something as simple as an O2 proxy server gone awry.
Phishing for problems
That doesn't forgive the fact that such a thing is possible at all - if O2 does have a list of sites that it allows to curry this information, then users will want to know about this as well, plus raises the issue of how easily an email phishing scam could attract mobile number data with a relatively simple campaign.
In all our tests with multiple handsets and O2 accounts the number was indeed sent, which seems to prove that the problem is current and still live - although we're sure O2 is looking to shut down the issue as fast as it can whip its engineers.
TechRadar has spoken to O2 about the issue, and have unsurprisingly been told that the issue is being 'investigated as a top priority' - we'll let you know when we hear anything more.
We've also contacted all the other networks about the issue, and we'll publish their responses too.
In the meantime, if you're an O2 user then check out the site for yourself and see what happens - let us know your findings with a comment below.