O2’s Customer Phone Number Leakage: A Cock-Up?

O2 is investigating claims of a security flaw which discloses its customers’ phone numbers to every website they visit on its network.

Customers have flocked to Twitter to complain after a user named ‘Lewispeckover’ created a website exposing the issue.

Who’s calling me?

“This page is a simple little script which prints out all the information I receive about you when you visit. It is logical to conclude that this same information is sent to all other websites too, “ states the website.

“We’re investigating this as we speak with our internal teams, we’ll get back to you as soon as possible,” said O2 in a tweeted response to Lewispeckover.

Graham Cluley, senior technology consultant, claims that the flaw has been known for around two years, when a Berlin student documented his findings in an academic paper.

Cluley tested an iPhone on the O2 network with the device’s Wi-Fi functionality switched off and found that his number was being communicated to every website he visited under an http leader called ‘HTTP_X_UP_CALLING_LINE_ID’.

“It’s hard to understand why a mobile phone network operator would think it is necessary to transmit their customers’ mobile phone numbers to the website they visit,” said Cluley. “My guess is that it’s more likely to be a cock-up than malice which caused this data to be leaked – but what’s worse is that the problem is still present almost two years after it was first discovered.”

“It’s certainly easy to imagine how the information could be abused – for instance, if your mobile phone number is scooped up, it could then be used to SMS text spam you,” he added.

The news is unlikely to ease concerns held by many that mobile users are not taking security seriously. McAfee research found that 70 percent of users said that they considered their devices to be safe from cybercrime, despite 67 percent not having even the basic level of security on their phone.