O2 Fixes 'Accidental' Leak of Phone Numbers

judgecorp writes "British mobile operator O2 says it has stopped sharing users phone numbers with all websites, and says the breach was an accident. Yesterday, users found that the operator was automatically passing their mobile numbers to any site they visited, while using O2's mobile network,"

Trusted partners?

[daveewart]

I see they keep banging on about "trusted" partners. Trusted by whom? That's the point which they seem to be missing... Certainly not "trusted by O2 customers".

Re:

[Sockatume]

Presumably they mean sites which fall within O2's web portal. For example, my mobile phone company's web portal can bring up my customer billing page without logging in, which indicates it's uniquely identifying me. It may be that they did something similar for AnnoyingInternetVidsAsRingtones.blah when visited through their web portal, to make it easier to bill people.

Re:Trusted partners?

[biodata]

Does trusted partners include every internet link and server between them and their trusted partners? The main problem seems to be that they are sharing people's private information in an insecure, unencrypted format (plain text), using an insecure, unencrypted mechanism (http headers) with the internet at large. Isn't this a dereliction of their duty to protect the privacy of their customers' information?

Second link is wrong

[piripiri]

Second link is wrong. It should be: http://www.techweekeurope.co.uk/news/o2s-customer-phone-number-leakage-a-cock-up-56263 [techweekeurope.co.uk].

Script for checking

[Inda]

I got this link from the BBC News site. It just displays the headers (something most of us could do, I know):

http://lew.io/headers.php

My number did not appear. I'm on Tesco, who are a reseller for O2.

Re:

[Sockatume]

It was corrected at 2pm yesterday according to one of the stories linked to in the summary.

Re:

[jo_ham]

They fixed the issue before most of the stories went up, and it was also specific to cellular connections - if you visited via WiFi it would not show the error (since the problem was inside O2's network rather than happening at the handset end).

Re:

[rapiddescent]

I tried it yesterday (before o2 removed it) from my mobile phone and it showed a http header with 4478****** which is my number. Clearly there is some sort of transparent proxying going on - one has to wonder what else they are using that proxy for? The cat is out the bag that they are actively proxying port 80 traffic. However, no doubt they'll get no more than a slap on the wrist from the ICO for this breach.

Re:

[jo_ham]

Like they said - it (was) used for convenience with sites they were linked with, like O2 tickets and ringtone sites within their portal. There's nothing inherently Machiavellian about this, but I suppose it is the slashdot modus operandi to assume that companies can't do anything *but* be evil.

Re:

[Anne Thwacks]

You might want to Google Mandy RIce-Davis ("He would say that, wouldn't he")

Re:

[viperidaenz]

You'll find most ISP's run transparent caching proxies. The benefit to customers is decreased page load time, the benefit to the ISP is decreased bandwidth.

Re:

[Zaiff Urgulbunger]

...it showed a http header with 4478****** which is my number.

Luckily it just shows as stars to everyone else. They must be using that same tech that Facebook uses that makes your password appear as stars when you type it. I'm pretty confident you are completely 100% safe!

;)

Re:O2 "Fixes" ?

[jo_ham]

"Caught red handed"

What do you mean? It was a mistake that started on January 12th and was corrected when it was noticed, yesterday.

You make it sound like this was some secret, evil scheme.

Re:

[Patch86]

I don't get it, and I don't get the suspicious quotes in the headline either. Why on earth would O2 be doing it on purpose? What possible reason would they have to pass your phone number to every random non-affiliated website you visit (particularly when they freely admit that they've always passed it to trusted websites such as ones they own, and will continue to do so).

Sounds like a text-book coding cock up to me. Embarassing for the developers involved, possibly indicative that they don't test things pro

Re:

[Sockatume]

O2 belongs to Telefonica these days.

Re:

[jo_ham]

It allows for convenient billing, for example, if you buy ringtones from O2's store (if you're the type to do this - it used to be huge here before the rise of the smartphone), or O2's link with ticketing for the O2 Arena, where customers get priority and discounted tickets for being on O2.

Privacy is like virginity

[aglider]

Once you've lost it, it's gone forever.
Unless you change something really ... low level.
Like the phone number.

Re:

[tgd]

Once you've lost it, it's gone forever.
Unless you change something really ... low level.
Like the phone number.

And did you miss your virginity after it was gone?

Re:

[viperidaenz]

I had a new desire to keep doing what it was that caused its loss.

Sounds like a facebook user...It starts by signing up and sharing a few photos, next thing you know they're on there hours a day posting constant updates noone but themselves and those already involved (and the stalkers) care about

Re:

[Anne Thwacks]

and the credit rating agencies and other data miners with face recognition software.

They cocked up but...

[iB1]

O2 screwed up by making what appears to be a school-boy error. However, after they were notified of the fault, they admitted blame, fixed it quickly and told everyone what happened. It would have obviously been preferable if this leak hadn't happened in the first place, but I can't blame them for how they handled it.

Re:

[Spad]

I can blame them because they are sending phone numbers as HTTP headers to websites. I don't care if they're "selected, trusted 3rd-party sites" and that sending them to everyone was an accident, I want to know why they're using phone numbers *at all*. If you need to identify a customer to a 3rd party site for whatever reason then you use a unique identifier that isn't directly connected to that user and you certainly don't use their phone number.

It may have been an accident, but it was an accident that sho

Re:

[viperidaenz]

How dare they send YOUR phone number to THEIR sites.

Oh wait, its their phone number and you're only borrowing it on the terms and conditions you signed when you agreed to take their services, which includes sharing your information with their affiliates.

Re:

[aztracker1]

Personally, I would have preferred they used IdentD services on the proxy endpoints, and allowed queries from selected IPs... The technology in place essentially allows you to go to "their" portal and related sites, and have those sites know it is you. In this case, the number is merely an identifier, and doesn't automagically tie your phone number to your person. Though could, combined with other information, be used to avoid privacy. The fact is that phone numbers are rather limited in nature, and give

Re:

[biodata]

Not really. They are still sharing people's phone numbers with anyone they decide they want to.

Who's lying/incorrect?

[biodata]

In the linked article the Sophos 'expert' Grham Cluley said the problem had been known for around two years. On the BBC news site, however, an O2 spokesperson was reported as saying that the fault had only been happening since 10th January (i.e. the Twitter user who caught them red-handed was lucky to have spotted the problem as soon as it happened).

I wonder where the truth lies?

Re:

[IAmGarethAdams]

The paper from two years ago [computerworld.com] mentions the problem in relation to

the U.K.'s Orange and Canada's Rogers Wireless

and not in relation to O2. Had they been involved 2 years ago, I would have expected them to be named in that original paper.

Gotta love those quote marks

[Burb]

Compare:
O2 Fixes 'Accidental' Leak of Phone Numbers
vs
O2 Fixes Accidental Leak of Phone Numbers

Re:

[jo_ham]

It's to be expected for the standard slashdot groupthink - didn't you get the memo? Anything a company does, without exception, has a secret, ulterior motive designed to crush the common man, hurt open source, and destroy privacy.

It's simply not possible for a company to ever do anything accidental. This was clearly O2's plan all along and they've been "caught" trying to be evil. Score one for the little guy!

DISCLAIMER: The above comments might be facetious. YMMV.

Re:

[eastlight_jim]

They're brilliant aren't they? They crop up everywhere now. The BBC uses them with gay abandon and whilst I'm sure that they're just using them in their traditional sense (i.e. to delineate a quote) the results can often be hilarious.

Here's another amusing example from today on the BBC: 'Cloaking' a 3-D object from all angles demonstrated [bbc.co.uk]. You can just hear the derisive journalist as he writes the headline...

Fixed link from article

[LivinFree]

In TFA, the "yesterday" link appears to have been fat-fingered. Here is the fixed link:
--
[...]was automatically passing their mobile numbers [techweekeurope.co.uk] to any site they visited[...]
--

What type of error?

[FurtiveGlancer]

Apparently they were mistakenly providing mobile numbers to sites that had not paid for them!

Ellipsis

[CanHasDIY]

Remember a time when corporations were held fiscally and criminally responsible for their actions?

Pepperidge Farms remembers.

Danger to abuse HTTP Headers?

[Zwerg_Sense]

now we know they have certain headers for billing purposes, not the smartest way... Is there a danger in these headers now? going to the 'trusted partner' with your own fake headers without going through the O2 proxies?