Verizon Injects Unique IDs Into HTTP Traffic

An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user." Just like they said they would.

Hello Vodafone

[wabrandsma]

From: Using Browser Properties for Fingerprinting Purposes.

Vodafone injects the X-VF-ACR header: 'Vodafone Anonymous Customer Recognition'. It is unclear what this header exactly does; all headers that have been seen start with the string "204004DYNMVFNLACR", followed by 16 X's, and are followed by a BASE64-encoded 256-byte cyphertext, which we were unable to decrypt. It has been suggested that this string might contain the SIM-card identifier (IMSI) or other personal information, as was found in a research conducted by Mulliner in 2010 [14]. Vodafone did not respond to requests of explaining this header. Nevertheless, the presence of this header, certainly identifies customers of Vodafone as being customers of Vodafone.

Re:Telling The Story Backwards and Upside Down.

[DamnOregonian]

I have a good friend there right now. There have been 2 attempts on her where she had to physically fight someone off of her, and the first 2 days of reception were sexual assault awareness classes where they're instructed to stay out of the dark and not go anywhere on-base that they're not familiar with or get into any cars they're not familiar with. No shit. On a US army base.