Ben Dodson

Freelance iOS, Apple Watch, and Apple TV Developer

UK Carrier O2 sends your phone number to every website you visit

Lewis Peckover:

If you’re on O2’s UK mobile network (not ADSL), you’ll (probably) see a line beginning with x-up-calling-line-id - followed by your mobile phone number in plain text

Looks like O2 is sending users mobile phone numbers in plain text over HTTP headers to every site they visit whilst using their network. At the moment the issue appears to be limited to certain APNS on the UK O2 network.

When asked about it, O2 responded with:

The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device

As Lewis points out, a “User-agent header ID’s the device” so this seems a slightly odd stance (particularly as it isn’t happening on all mobile devices).

Update: O2 say that it’s a technical error and that this header should only be sent to whitelisted servers. It does beg the question, which servers are whitelisted? Presumably just O2’s own websites but it’s still not good to be sending information like this in plaintext.

BenDodson.com gets an update » « How not to ask for an iOS app review - A review of Jumpship Thrust Control 2