Anyone know of a site that informs you what data it's receiving from a phone app or browser?
According to Money Saving Expert "When MoneySavingExpert.com checked yesterday, we found mobile numbers were disclosed on a site specially designed to notify users of what data it receives on users. When we checked this morning, numbers no longer appeared"
formatting link
site are they referring to?
MSE also reports "O2 says it is normal for it to disclose numbers to sites with premium or adult content, or that are part of its Priority Moments discount service". Why would that be normal when contacting a site from a PC browser obviously doesn't routinely send a mobile number?
is the first one that lept out of google at me but there are plenty of others.
I suspect the one that they are talking about is
formatting link
's the site that @lewispeckover first used to highlight the issue.
If you have access to a site where you can stick code (php etc) then it's trivial to access these headers.
Nothing to do with PC browsers. If you use the browser on your phone (for various values of phone) then they add a X header containing your mobile number. If you access some of their premium sites then this number is used to authorise you (or not if you've not subscribed).
As for the adult sites, They won't be sharing this info with the adult site (well, unless they run/partner with some) but they do restrict access until you prove your age. I suspect this then puts your number onto a list that some webproxy can access - the X header containing your number is then checked by the proxy against that list.
Nothing sinister about any of that IMO - pretty standard stuff. Their mistake was (I imagine) to misconfigure some (all?) of their web proxies to forward this on to the world.
Thanks Darren, for a very informative post. You seem to imply that the carrier 'owns' your phone and puts the x-headers into the sender app. My phone is a sim-free Android so hopefully has no such headers, or does android also include the phone number in these?
No, they don't "own" your phone. They do however need to use your number to provide a service. If part of that service is access to certain sites (things like account management sites etc) or the opposite (to block certain sites to under age users) then they need this information. Your phone is irrelevant - it will identify your SIM to the network and your network can then tally this to a number. Makes perfect sense to then pass this sort of information around *within the secure systems* via HTTP headers.
Anything like this should never make it out of the networks controller systems or in some cases, to the magic "trusted partners". These partners will have agreements in place with the network to protect this data and not share it etc.
O2 appear to have cocked up by misconfiguring some systems and letting this info leak out in all HTTP requests.
Your phone won't have been putting the header in, no phone does (AFAIK). If however your network was O2 (or giffgaff, or Tesco, or any other virtual networks overlayed on O2) then O2 will have been adding it.
It's a fairly common model - it's a pretty efficient and simple way of passing small pieces of info around between trusted systems. Much like your browser sending cookies to certain sites (which are also sent via HTTP headers in fact).
Letting it leak to the world was the problem here!
They receive them initially (in a HTTP response header). When you then send another request to the site your browser sends it back to the site via a HTTP request header.
That's how they know it's you, or they track you, or they let you in, or whatever else they use cookies for.
Effectively, yes. I suspect all networks do it, it's not a dodgy thing to do at all as long as it doesn't leak out.
I work at a university, if you visit our website then you first hit some proxy caches. These will stick some extra headers into you request (you'll not see them, but they are there!) so that the backend webservers know what ip address you are actually coming from (as they will only see a request from our proxies, not your PC). It's common practice and for a mobile network, the phone number makes perfect sence.
Yes. And if those sites are all trusted partners (or other T-mobile sites) then it's no real problem and you will have given them permission to do this in the small print I bet.
Offering that info out to random websites is the problem.
You sign up with $randomsite who is a partner with T-mobile and offer some mobile service (say they sell ringtones). It wants your name, address and IMEI to enable you to sign up. Most people won't know their IMEI, and even if they do, the supplier then needs to get that turned back into a phone number to send you the ringtone.
Much easier for everyone if T-mobile just send them the phone number of the client device in the requests. You don't need to find some wierd number that you've never heard of, you just have to give your phone number. They don't have to make expensive requests to look up IMEI to phone number - they just have it available from a trusted source (ie, your network).
I'll be amazed if T mobile and all the other networks are not doing this. It's perfectly sensible, and nothing dodgy.
It's not sneaky stuff. It's standard stuff being sent with their systems (and their affiliates). I'd put money on all networks doing it, it's a perfectly sane way of doing things that is used on millions of websites in various ways.
As long as the outgoing points on their network strips the data then it's fine, that's where they went wrong.
Not trying to stick up for O2 here, I can't stand the network personally but the whole sticking numbers in the headers is really not the issue here, it's the letting it out that's the mistake.
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.