14 
Apparently O2’s sending some customer phone numbers in the HTTP header to every website they browse over its cellular network. It’s not unusual to send identifier information to sites when you visit — it’s normally your IP address — but your phone number? That’s a whole different ball game.
I don’t know about you, but I sure as hell don’t want every website I visit to have my phone number. Whether they collect it or not, I get enough cold calls and spam texts as it is. You can check it out for yourself courtesy of @lewispeckover at his headers test site; some are reporting that it does send their phone number, others aren’t seeing it. It certainly seems a bit odd, but we’ve checked it out for ourselves and sure enough, our phone number is visible on O2 for us (see below). It’s also not visible on any of the other networks we’ve tried, including Three and Orange, but might be for any other MVNO that uses O2 like GiffGaff.
We’ve reached out to O2 about this, and will keep you posted on what they say. Hopefully it’s just some kind of error that can be easily corrected; it’s certainly a bit odd that it’s happening for some but not others. Who knows what nefarious sites might do with your phone number, especially now it’s become widely known. [ThinkBroadband]
Image credit: Screaming couple from Shutterstock
Updated: It looks as though O2 have scrambled to fix it and it’s no longer sending your number out, at least as far as we can tell. That was pretty quick, but considering it’s been happening for a while, there might be repercussions from the Information Commissioner’s Office in O2′s future.
People Need Telling Not to Give Their Phone Numbers to Random Web Sites
What Does O2's Phone Number-Leaking Scandal Mean For Me? (Updated, Again)
O2 Customers Will be Allowed to Call and Text Over Wi-Fi, Using Their Same Number
Side question, Is it happening on the 4G dongles too?
Going to test that later, will let you know.
Doesn’t appear to be doing it for the dongles.
Well that’s Good news at least.
The 4G dongles have been checked, I wonder if it happens on standard 3g dongles as well… anyone?
Or 3G tablets…
This is far more likely, since they use the same network. Has this also been confirmed as cross-platform and cross browser? I know you quoted Atomic Browser and Safari but is AB based off of safari or webkit, we need a O2 using Windows Phone owner to chime in, along with someone using firefox on Android.
Atomic is webkit based.
colinpolonowski has confirmed it’s happening on Android Firefox, so it isn’t just Webkit, just need a WP7 user to show up and test Internet Explorer. Could be a long wait
JoeByrne88 has confirmed on 3G tablets as well (ipad2).
Are users generally supplied with the number assigned to mobile internet plans? I’ve never had one, just curious as to how it works information wise.
Dirty bustids! Confirmed on my phone, using Atomic Browser and Safari…
Also confirmed here. I wonder if those who don’t get it are accidentally trying that site with wifi?
It’s possible I guess.
Didn’t see it over WiFi
BUT…. DID see it with WiFi off.
This could be big.. Does it also reveal your phone number if your browsing with WIFI ON?
No, they can’t reveal/insert your number if you’re on WiFi. They can’t see anything you’re doing under those circumstance. In fact it doesn’t even happen even if you also get your broadband from O2.
I can also confirm its happening on Tesco mobile (which uses the O2 network).
Happening here on my Galaxy S2 :-/
That’s using the mobile version of Firefox.
Ok, so it’s not just webkit based browsers then.
Yeah it’s not the phone/browser that’s inserting it – it’s the O2 phone network itself (the transparent proxy in particular).
I know that the broswer itself that was doing it, but it might have only happened to people using 1 type of browser, depending on how the iD’s were being passed (I think I’m right in saying this, but admit I’m no expert).
Yip confirmed here too on iPhone/Safari….nothing on Wifi just ip address. Out of contract at the moment should be interesting conversation with customer service…..
Just tried it on WP7 and it does indeed show up with my number. o2′s going have some kind of PR nightmare when the papers catch wind of this.
Presume that you used IE?
Yeah, phone updated to mango also, so latest IE version.
Confirmed on a giffgaff SIM too
Confirmed – my number appears in the headers.
I called O2 technical support and the operative wasn’t able to give me a clear answer why this happens or if it is normal.
The privacy implications are not good, so I emailed a screenshot to their complaints email address.
I also called the Information Comissioner who said this doesn’t sound like proper use of information but without a name associated with the mobile number wasn’t “personal information”
Oh jeez, work is going to be fun today.
I will have to explain it to my manager… joy.
Happening on 3G tablets as well…or at least my iPad contracted to o2.
can confirm on GS2 stock browser…not impressed one bit
I’m not seeing it on my N900 using the standard browser.
Confirmed on Dolphin Browser on my HTC Wildfire
I’ve had a look at my own website’s logs, which stores standard header information. It does not keep this data as far as I can tell.
Unless the site is designed to extract this data from the header(like Lew’s test page we’ve all been going to), this information cannot be used.
Of course, now that this is out there, unscrupulous site developers can begin to make use of this, and get a fine collection of active mobile numbers to sell off at their will….
It may not be ‘personal information’ according to the Information Comissioner (@tentenone), but having a list showing active numbers is a lot better than random dialling… O2 users, maybe we should prepare for a spam caller onslaught…
Stupid question – How long has it been happening and why hasn’t it been picked up before now?
That is a very long way from being a stupid question.
Change your APN username to “bypass” which bypasses o2′s proxying, problem solved. This will also be why results are sporadic, users using this APN username will not be seeing the problem, and ones using the standard o2web and similar usernames, which are proxied, will have the phone number leak.
Just an FYI:
for iPhones, the standard APN is “idata.o2.co.uk”, the username is “vertigo” and the password is the word “password” – so if you go tinkering with your iPhone’s APN settings (found in settings – general – network – mobile data network).
similarly for the APN “mobile.o2.co.uk” and “wap.o2.co.uk”
Changed my APN username, but number still being transmitted. On Tesco Mobile
Needs to be these settings:
APN: mobile.o2.co.uk
Username: bypass
Password: password
Yeah, didn’t work for me either.
And I went in to airplane mode and out again to make sure it was using the new settings
quote from o2 online chat:
‘Ray:I’m sorry if you access the website through the phone then the website captures the phone details and it’s mandatory for them.’
‘Ray:We will be unable to block it as it requires this info to go onto these websites.’
Is this being done by the phone’s software or O2′s proxy server? :S
Oh, nevermind I just saw nidO’s comment about bypassing the proxy.
Engadget just updated with a response from O2: “We received confirmation from O2, who said that it was “investigating with internal teams and it’s our top priority.”"
I just tried using Skyfire on private browsing – still happening
Confirmed here too.
That’s shocking
Confirmed with WiFi tether from my Android – four browsers on my Mac (Firefox, Safari, Chrome and Camino) all show my phone number when I use the tether.
Also confirmed with Android Firefox, although that is old news now.
Confirmed using a HTC radar
Found a link to an article highlighting this last year, it’s not a new problem. http://tinyurl.com/83j9gbz
There’s also a handy link from there to easily test if your browser is sending anything undesirable: http://www.mulliner.org/pc.cgi
iPhone on Vodafone is fine. About to try if tethering makes any difference.
Vodafone tethered on a Mac to iPhone 4: Chrome, Firefox and Safari all test just fine – no number leak.
Wow, I’ve never had a comment put through for moderation before, what gives?
Did it have more than one link? If yes, that is the problem. It happenned to me once.
Reply fail. This is @Growmac.
Thanks, it did. So:
Found a link to an article highlighting this last year, it’s not a new problem. http://tinyurl.com/83j9gbz
Second:
There’s also a handy link from there to easily test if your browser is sending anything undesirable: http://www.mulliner.org/pc.cgi
iPhone on Vodafone is fine.
anyone received (already! surprise surprise) an email spam from this address o2@o2-email.co.uk with various numbers?
I just made this to work out if you’re affected: http://ismyphonenumbervisible.co.uk/
Oh boy, how are O2 getting out of this one?
(Confirmed on iPhone 4, Safari on O2. Again.)