Is your smartphone telling every website you visit your telephone number?

2 mobile users in the UK are venting on Twitter today, fuming at their discovery that their phone number is being shared with every website that they visit over the network.

I found a colleague who owns an iPhone on the O2 network, and we tried it out for ourselves. Making sure we turned off his WiFi connection, we used the O2 mobile network to access the web.


Sure enough, his mobile number was being secretly communicated to websites he visited, embedded inside an http header called HTTP_X_UP_CALLING_LINE_ID.

O2's response so far is to tell concerned Twitter users that it is investigating the issue.

O2 in the UK

• ✔

@O2

@lewispeckover we're investigating this as we speak with our internal teams, we'll get back to you as soon as possible.

25 Jan 12

• Reply
• Retweet
• Favorite

Well, maybe I can be of some assistance. Because, although the problem is getting a lot of people's attention today, it's actually been known about for almost two years at least.
Back in March 2010, Berlin student Collin Mulliner revealed his discovery at the CanSecWest conference in Vancouver and presented a paper on the topic entitled "Privacy Leaks in Mobile Phone Internet Access".
My colleague Chet Wisniewski discussed Mulliner's research at the time and it was also reported in the technology press.
It's hard to understand why a mobile phone network operator would think it is necessary to transmit their customers' mobile phone numbers to the website they visit. My guess is that it's more likely to be a cock-up than malice which caused this data to be leaked - but what's worse is that the problem is still present almost two years after it was first discovered.
It's certainly easy to imagine how the information could be abused - for instance, if your mobile phone number is scooped up, it could then be used to SMS text spam you.
Occasional Naked Security contributor Terence Eden has made a video demonstrating the problem:

So, the big question is are other mobile networks - including those in other countries - also doing this?
If you want to know if your smartphone is revealing your phone number when you browse websites, you can test for yourself by visiting this demo page by Collin Mulliner: www.mulliner.org/pc.cgi
If it comes up green, you're all clear. But if you see red, well.. maybe you'll be seeing red with your mobile phone operator too.
(Remember, you have to turn off WiFi before you test. That way, your phone is forced to use your mobile phone network for the connection.)

Update: O2 says that the problem is now fixed and has published an explanation of what went wrong. 

nakedsecurity.sophos.com