If you’re on O2’s UK mobile network (not ADSL), you’ll (probably) see a line beginning with
x-up-calling-line-id- followed by your mobile phone number in plain text
Looks like O2 is sending users mobile phone numbers in plain text over HTTP headers to every site they visit whilst using their network. At the moment the issue appears to be limited to certain APNS on the UK O2 network.
When asked about it, O2 responded with:
The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device
As Lewis points out, a “User-agent header ID’s the device” so this seems a slightly odd stance (particularly as it isn’t happening on all mobile devices).
Update: O2 say that it’s a technical error and that this header should only be sent to whitelisted servers. It does beg the question, which servers are whitelisted? Presumably just O2’s own websites but it’s still not good to be sending information like this in plaintext.