O2, once Apple’s exclusive cell phone company reseller of iPhones in the UK, has been caught exposing user phone numbers in the headers sent to websites its customers visit while using its 3G network.
London-based systems administrator Lewis Peckover discovered the issue yesterday, while researching ways of finding out if a website visitor is on a particular device or network. Turns out to be really easy if the visitors are on O2.
Peckover created a simple demo script that prints out the details of headers it receives. Everything looks normal if you visit his page from your computer – but when an O2 customer hits the page from the 3G network, an additional header appears:
That “x-up-calling-line-id” header, says Peckover, is being handed over to the webmaster of every website visited. Eeek.
Needless to say, people are rather troubled by this, and this morning swamped O2’s Twitter account with demands for an explanation. O2 responded quickly with a flood of @-replies to concerned users (pictured above) and said it had started an investigation. We’ll update this post as and when we hear anything more.
Although the header appears to be inserted irrespective of the mobile device used, this will affect a lot of UK iPhone owners because of O2’s former exclusivity as iPhone seller. A lot of people (myself included) have ongoing O2 contracts that were first opened back in the days when it wasn’t possible to get an iPhone from anyone else.
UPDATE: Looks like this has been known to the people at Sophos for some time now.
UPDATE 2: Turns out this was the unexpected and unnoticed result of some behind-the-scenes maintenance. O2, to its credit, has fixed the bug and said sorry.