Thursday, January 26, 2012

O2 UK network security blunder exposes customers' phone numbers to websites

Phone number exposed via HTTP headers

If you're browsing the web on your phone or tablet on O2 UK, then the network could be exposing your phone number to every website you visit. O2 customer Lewis Peckover recently discovered that when you're browsing over 3G on O2, your handset's phone number is often included in the HTTP headers sent to each website you visit, in plain text.

HTTP headers are information exchanged between your browser and the web server before a page is loaded. In theory, the way O2 includes your phone number -- alongside more mundane information like your IP address, browser and OS -- means that any website you visit could easily find out your number. It's worth pointing out that the header used by O2 to send phone numbers -- "x-up-calling-line-id" -- isn't one that's routinely logged by web servers. However, just a couple of lines of code would allow a malicious site to find your phone number just by having you visit a website on 3G.

Lewis Peckover has set up a site to allow O2 customers to see whether they're affected. We've tried this with an O2 SIM in our Galaxy Nexus, and sure enough, there our phone number was in the list of "headers received". If you're on O2, make sure you've got Wifi disabled on your device, then click here and see if you spot your phone number among the HTTP headers.

This isn't an Android-specific problem, however due to the fact that it's a network-level issue, it'll affect Android phones just the same as any other device that's browsing over O2's data network. For this reason, just about anything that connects via HTTP over O2's network could potentially access this information. For its part, O2 says it's "investigating" the issue, and while this is a big deal for O2 customers, the fact that this is a network-level problem should mean that a fix will be relatively quick and easy to deploy.

More: Lew.io; via: ThinkBroadband



Source: http://feedproxy.google.com/~r/androidcentral/~3/W0LTWSsLFNU/story01.htm

bob hope mariano rivera mariano rivera dadt repeal comedy central roast neal schon neal schon

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.