Slashdot Mirror

← Back to Stories (view on slashdot.org)

O2 Fixes 'Accidental' Leak of Phone Numbers

Posted by timothy on from the take-this-leak-and-shove-it dept.

judgecorp writes "British mobile operator O2 says it has stopped sharing users phone numbers with all websites, and says the breach was an accident. Yesterday, users found that the operator was automatically passing their mobile numbers to any site they visited, while using O2's mobile network,"

33 of 42 comments (clear)

  1. Trusted partners? by daveewart · · Score: 5, Informative

    I see they keep banging on about "trusted" partners. Trusted by whom? That's the point which they seem to be missing... Certainly not "trusted by O2 customers".

    --
    "If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
    1. Re:Trusted partners? by Sockatume · · Score: 1

      Presumably they mean sites which fall within O2's web portal. For example, my mobile phone company's web portal can bring up my customer billing page without logging in, which indicates it's uniquely identifying me. It may be that they did something similar for AnnoyingInternetVidsAsRingtones.blah when visited through their web portal, to make it easier to bill people.

      --
      No kidding!!! What do you say at this point?
    2. Re:Trusted partners? by biodata · · Score: 3, Insightful

      Does trusted partners include every internet link and server between them and their trusted partners? The main problem seems to be that they are sharing people's private information in an insecure, unencrypted format (plain text), using an insecure, unencrypted mechanism (http headers) with the internet at large. Isn't this a dereliction of their duty to protect the privacy of their customers' information?

      --
      Korma: Good
  2. Second link is wrong by piripiri · · Score: 2

    Second link is wrong. It should be: http://www.techweekeurope.co.uk/news/o2s-customer-phone-number-leakage-a-cock-up-56263.

  3. Script for checking by Inda · · Score: 2

    I got this link from the BBC News site. It just displays the headers (something most of us could do, I know):

    http://lew.io/headers.php

    My number did not appear. I'm on Tesco, who are a reseller for O2.

    --
    This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    1. Re:Script for checking by Sockatume · · Score: 1

      It was corrected at 2pm yesterday according to one of the stories linked to in the summary.

      --
      No kidding!!! What do you say at this point?
    2. Re:Script for checking by jo_ham · · Score: 1

      They fixed the issue before most of the stories went up, and it was also specific to cellular connections - if you visited via WiFi it would not show the error (since the problem was inside O2's network rather than happening at the handset end).

    3. Re:Script for checking by rapiddescent · · Score: 1

      I tried it yesterday (before o2 removed it) from my mobile phone and it showed a http header with 4478****** which is my number. Clearly there is some sort of transparent proxying going on - one has to wonder what else they are using that proxy for? The cat is out the bag that they are actively proxying port 80 traffic. However, no doubt they'll get no more than a slap on the wrist from the ICO for this breach.

    4. Re:Script for checking by jo_ham · · Score: 2

      Like they said - it (was) used for convenience with sites they were linked with, like O2 tickets and ringtone sites within their portal. There's nothing inherently Machiavellian about this, but I suppose it is the slashdot modus operandi to assume that companies can't do anything *but* be evil.

    5. Re:Script for checking by viperidaenz · · Score: 2

      You'll find most ISP's run transparent caching proxies. The benefit to customers is decreased page load time, the benefit to the ISP is decreased bandwidth.

    6. Re:Script for checking by Anne+Thwacks · · Score: 1

      You might want to Google Mandy RIce-Davis ("He would say that, wouldn't he")

      --
      Sent from my ASR33 using ASCII
    7. Re:Script for checking by Zaiff+Urgulbunger · · Score: 1

      ...it showed a http header with 4478****** which is my number.

      Luckily it just shows as stars to everyone else. They must be using that same tech that Facebook uses that makes your password appear as stars when you type it. I'm pretty confident you are completely 100% safe!

      ;)

  4. Re:me.surprise==0 by Sockatume · · Score: 2

    O2 belongs to Telefonica these days.

    --
    No kidding!!! What do you say at this point?
  5. Privacy is like virginity by aglider · · Score: 2

    Once you've lost it, it's gone forever.
    Unless you change something really ... low level.
    Like the phone number.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re:Privacy is like virginity by tgd · · Score: 1

      Once you've lost it, it's gone forever.
      Unless you change something really ... low level.
      Like the phone number.

      And did you miss your virginity after it was gone?

    2. Re:Privacy is like virginity by viperidaenz · · Score: 1

      I had a new desire to keep doing what it was that caused its loss.

      Sounds like a facebook user...It starts by signing up and sharing a few photos, next thing you know they're on there hours a day posting constant updates noone but themselves and those already involved (and the stalkers) care about

    3. Re:Privacy is like virginity by Anne+Thwacks · · Score: 1

      and the credit rating agencies and other data miners with face recognition software.

      --
      Sent from my ASR33 using ASCII
  6. Re:me.surprise==0 by jo_ham · · Score: 1

    It allows for convenient billing, for example, if you buy ringtones from O2's store (if you're the type to do this - it used to be huge here before the rise of the smartphone), or O2's link with ticketing for the O2 Arena, where customers get priority and discounted tickets for being on O2.

  7. They cocked up but... by iB1 · · Score: 2

    O2 screwed up by making what appears to be a school-boy error. However, after they were notified of the fault, they admitted blame, fixed it quickly and told everyone what happened. It would have obviously been preferable if this leak hadn't happened in the first place, but I can't blame them for how they handled it.

    1. Re:They cocked up but... by Spad · · Score: 1

      I can blame them because they are sending phone numbers as HTTP headers to websites. I don't care if they're "selected, trusted 3rd-party sites" and that sending them to everyone was an accident, I want to know why they're using phone numbers *at all*. If you need to identify a customer to a 3rd party site for whatever reason then you use a unique identifier that isn't directly connected to that user and you certainly don't use their phone number.

      It may have been an accident, but it was an accident that should never have been able to happen.

    2. Re:They cocked up but... by biodata · · Score: 1

      Not really. They are still sharing people's phone numbers with anyone they decide they want to.

      --
      Korma: Good
    3. Re:They cocked up but... by aztracker1 · · Score: 1

      Personally, I would have preferred they used IdentD services on the proxy endpoints, and allowed queries from selected IPs... The technology in place essentially allows you to go to "their" portal and related sites, and have those sites know it is you. In this case, the number is merely an identifier, and doesn't automagically tie your phone number to your person. Though could, combined with other information, be used to avoid privacy. The fact is that phone numbers are rather limited in nature, and given 10K guesses, with your relative home location, could probably come up with your number, as well as your neighbor, etc.

      --
      Michael J. Ryan - tracker1.info
  8. Re:O2 "Fixes" ? by jo_ham · · Score: 3, Insightful

    "Caught red handed"

    What do you mean? It was a mistake that started on January 12th and was corrected when it was noticed, yesterday.

    You make it sound like this was some secret, evil scheme.

  9. Who's lying/incorrect? by biodata · · Score: 1
    In the linked article the Sophos 'expert' Grham Cluley said the problem had been known for around two years. On the BBC news site, however, an O2 spokesperson was reported as saying that the fault had only been happening since 10th January (i.e. the Twitter user who caught them red-handed was lucky to have spotted the problem as soon as it happened).

    I wonder where the truth lies?

    --
    Korma: Good
    1. Re:Who's lying/incorrect? by IAmGarethAdams · · Score: 2

      The paper from two years ago mentions the problem in relation to

      the U.K.'s Orange and Canada's Rogers Wireless

      and not in relation to O2. Had they been involved 2 years ago, I would have expected them to be named in that original paper.

  10. Gotta love those quote marks by Burb · · Score: 2

    Compare:
    O2 Fixes 'Accidental' Leak of Phone Numbers
    vs
    O2 Fixes Accidental Leak of Phone Numbers

    --

    1. Re:Gotta love those quote marks by jo_ham · · Score: 2

      It's to be expected for the standard slashdot groupthink - didn't you get the memo? Anything a company does, without exception, has a secret, ulterior motive designed to crush the common man, hurt open source, and destroy privacy.

      It's simply not possible for a company to ever do anything accidental. This was clearly O2's plan all along and they've been "caught" trying to be evil. Score one for the little guy!

      DISCLAIMER: The above comments might be facetious. YMMV.

    2. Re:Gotta love those quote marks by eastlight_jim · · Score: 1

      They're brilliant aren't they? They crop up everywhere now. The BBC uses them with gay abandon and whilst I'm sure that they're just using them in their traditional sense (i.e. to delineate a quote) the results can often be hilarious.

      Here's another amusing example from today on the BBC: 'Cloaking' a 3-D object from all angles demonstrated. You can just hear the derisive journalist as he writes the headline...

  11. Fixed link from article by LivinFree · · Score: 1

    In TFA, the "yesterday" link appears to have been fat-fingered. Here is the fixed link:
    --
    [...]was automatically passing their mobile numbers to any site they visited[...]
    --

  12. What type of error? by FurtiveGlancer · · Score: 1

    Apparently they were mistakenly providing mobile numbers to sites that had not paid for them!

    --
    Invenio via vel creo
  13. Ellipsis by CanHasDIY · · Score: 1

    Remember a time when corporations were held fiscally and criminally responsible for their actions?

    Pepperidge Farms remembers.

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  14. Re:O2 "Fixes" ? by Patch86 · · Score: 1

    I don't get it, and I don't get the suspicious quotes in the headline either. Why on earth would O2 be doing it on purpose? What possible reason would they have to pass your phone number to every random non-affiliated website you visit (particularly when they freely admit that they've always passed it to trusted websites such as ones they own, and will continue to do so).

    Sounds like a text-book coding cock up to me. Embarassing for the developers involved, possibly indicative that they don't test things properly, or are rushing releases- but that sounds pretty familiar to me.

  15. Danger to abuse HTTP Headers? by Zwerg_Sense · · Score: 1

    now we know they have certain headers for billing purposes, not the smartest way... Is there a danger in these headers now? going to the 'trusted partner' with your own fake headers without going through the O2 proxies?