Forgot your password?
typodupeerror
Privacy Security United Kingdom Wireless Networking Your Rights Online

O2 Fixes 'Accidental' Leak of Phone Numbers 42

Posted by timothy
from the take-this-leak-and-shove-it dept.
judgecorp writes "British mobile operator O2 says it has stopped sharing users phone numbers with all websites, and says the breach was an accident. Yesterday, users found that the operator was automatically passing their mobile numbers to any site they visited, while using O2's mobile network,"
This discussion has been archived. No new comments can be posted.

O2 Fixes 'Accidental' Leak of Phone Numbers

Comments Filter:
  • Trusted partners? (Score:5, Informative)

    by daveewart (66895) on Thursday January 26, 2012 @12:18PM (#38829537)
    I see they keep banging on about "trusted" partners. Trusted by whom? That's the point which they seem to be missing... Certainly not "trusted by O2 customers".
    • by Sockatume (732728)

      Presumably they mean sites which fall within O2's web portal. For example, my mobile phone company's web portal can bring up my customer billing page without logging in, which indicates it's uniquely identifying me. It may be that they did something similar for AnnoyingInternetVidsAsRingtones.blah when visited through their web portal, to make it easier to bill people.

    • by biodata (1981610) on Thursday January 26, 2012 @12:58PM (#38830129)
      Does trusted partners include every internet link and server between them and their trusted partners? The main problem seems to be that they are sharing people's private information in an insecure, unencrypted format (plain text), using an insecure, unencrypted mechanism (http headers) with the internet at large. Isn't this a dereliction of their duty to protect the privacy of their customers' information?
  • by Inda (580031) <slash.20.inda@spamgourmet.com> on Thursday January 26, 2012 @12:23PM (#38829599) Journal
    I got this link from the BBC News site. It just displays the headers (something most of us could do, I know):

    http://lew.io/headers.php

    My number did not appear. I'm on Tesco, who are a reseller for O2.
    • by Sockatume (732728)

      It was corrected at 2pm yesterday according to one of the stories linked to in the summary.

    • by jo_ham (604554)

      They fixed the issue before most of the stories went up, and it was also specific to cellular connections - if you visited via WiFi it would not show the error (since the problem was inside O2's network rather than happening at the handset end).

      • I tried it yesterday (before o2 removed it) from my mobile phone and it showed a http header with 4478****** which is my number. Clearly there is some sort of transparent proxying going on - one has to wonder what else they are using that proxy for? The cat is out the bag that they are actively proxying port 80 traffic. However, no doubt they'll get no more than a slap on the wrist from the ICO for this breach.

        • by jo_ham (604554)

          Like they said - it (was) used for convenience with sites they were linked with, like O2 tickets and ringtone sites within their portal. There's nothing inherently Machiavellian about this, but I suppose it is the slashdot modus operandi to assume that companies can't do anything *but* be evil.

        • You'll find most ISP's run transparent caching proxies. The benefit to customers is decreased page load time, the benefit to the ISP is decreased bandwidth.
        • ...it showed a http header with 4478****** which is my number.

          Luckily it just shows as stars to everyone else. They must be using that same tech that Facebook uses that makes your password appear as stars when you type it. I'm pretty confident you are completely 100% safe!

          ;)

  • by aglider (2435074) on Thursday January 26, 2012 @12:30PM (#38829707) Homepage

    Once you've lost it, it's gone forever.
    Unless you change something really ... low level.
    Like the phone number.

    • by tgd (2822)

      Once you've lost it, it's gone forever.
      Unless you change something really ... low level.
      Like the phone number.

      And did you miss your virginity after it was gone?

      • I had a new desire to keep doing what it was that caused its loss.

        Sounds like a facebook user...It starts by signing up and sharing a few photos, next thing you know they're on there hours a day posting constant updates noone but themselves and those already involved (and the stalkers) care about

  • O2 screwed up by making what appears to be a school-boy error. However, after they were notified of the fault, they admitted blame, fixed it quickly and told everyone what happened. It would have obviously been preferable if this leak hadn't happened in the first place, but I can't blame them for how they handled it.
    • by Spad (470073)

      I can blame them because they are sending phone numbers as HTTP headers to websites. I don't care if they're "selected, trusted 3rd-party sites" and that sending them to everyone was an accident, I want to know why they're using phone numbers *at all*. If you need to identify a customer to a 3rd party site for whatever reason then you use a unique identifier that isn't directly connected to that user and you certainly don't use their phone number.

      It may have been an accident, but it was an accident that sho

      • How dare they send YOUR phone number to THEIR sites.

        Oh wait, its their phone number and you're only borrowing it on the terms and conditions you signed when you agreed to take their services, which includes sharing your information with their affiliates.

      • Personally, I would have preferred they used IdentD services on the proxy endpoints, and allowed queries from selected IPs... The technology in place essentially allows you to go to "their" portal and related sites, and have those sites know it is you. In this case, the number is merely an identifier, and doesn't automagically tie your phone number to your person. Though could, combined with other information, be used to avoid privacy. The fact is that phone numbers are rather limited in nature, and give
    • by biodata (1981610)
      Not really. They are still sharing people's phone numbers with anyone they decide they want to.
  • In the linked article the Sophos 'expert' Grham Cluley said the problem had been known for around two years. On the BBC news site, however, an O2 spokesperson was reported as saying that the fault had only been happening since 10th January (i.e. the Twitter user who caught them red-handed was lucky to have spotted the problem as soon as it happened).

    I wonder where the truth lies?

    • The paper from two years ago [computerworld.com] mentions the problem in relation to

      the U.K.'s Orange and Canada's Rogers Wireless

      and not in relation to O2. Had they been involved 2 years ago, I would have expected them to be named in that original paper.

  • by Burb (620144) on Thursday January 26, 2012 @12:40PM (#38829843)

    Compare:
    O2 Fixes 'Accidental' Leak of Phone Numbers
    vs
    O2 Fixes Accidental Leak of Phone Numbers

    • by jo_ham (604554)

      It's to be expected for the standard slashdot groupthink - didn't you get the memo? Anything a company does, without exception, has a secret, ulterior motive designed to crush the common man, hurt open source, and destroy privacy.

      It's simply not possible for a company to ever do anything accidental. This was clearly O2's plan all along and they've been "caught" trying to be evil. Score one for the little guy!

      DISCLAIMER: The above comments might be facetious. YMMV.

    • They're brilliant aren't they? They crop up everywhere now. The BBC uses them with gay abandon and whilst I'm sure that they're just using them in their traditional sense (i.e. to delineate a quote) the results can often be hilarious.

      Here's another amusing example from today on the BBC: 'Cloaking' a 3-D object from all angles demonstrated [bbc.co.uk]. You can just hear the derisive journalist as he writes the headline...

  • In TFA, the "yesterday" link appears to have been fat-fingered. Here is the fixed link:
    --
    [...]was automatically passing their mobile numbers [techweekeurope.co.uk] to any site they visited[...]
    --

  • Apparently they were mistakenly providing mobile numbers to sites that had not paid for them!
  • Remember a time when corporations were held fiscally and criminally responsible for their actions?

    Pepperidge Farms remembers.
  • now we know they have certain headers for billing purposes, not the smartest way... Is there a danger in these headers now? going to the 'trusted partner' with your own fake headers without going through the O2 proxies?

"It's curtains for you, Mighty Mouse! This gun is so futuristic that even *I* don't know how it works!" -- from Ralph Bakshi's Mighty Mouse

Working...