O2 UK network security blunder exposes customers' phone numbers to websites

News
By last updated

Update: O2 says that as of 1400 GMT today it has fixed, the problem, and that "technical changes" as part of "routine maintenance" were to blame for the issue, which affected customers from Jan. 10 until today. The network's full statement is available on its official blog.

Original story: If you're browsing the web on your phone or tablet on O2 UK, then the network could be exposing your phone number to every website you visit. O2 customer Lewis Peckover recently discovered that when you're browsing over 3G on O2, your handset's phone number is often included in the HTTP headers sent to each website you visit, in plain text.

HTTP headers are information exchanged between your browser and the web server before a page is loaded. In theory, the way O2 includes your phone number -- alongside more mundane information like your IP address, browser and OS -- means that any website you visit could easily find out your number. It's worth pointing out that the header used by O2 to send phone numbers -- "x-up-calling-line-id" -- isn't one that's routinely logged by web servers. However, just a couple of lines of code would allow a malicious server to find your phone number just by having you visit a website over 3G.

Lewis Peckover has set up a site to allow O2 customers to see whether they're affected. We've tried this with an O2 SIM in our Galaxy Nexus, and sure enough, there our phone number was in the list of "headers received". If you're on O2, make sure you've got Wifi disabled on your device, then click here and see if you spot your phone number among the HTTP headers. For what it's worth, early reports indicate that not all O2 customers are affected, though a large proportion apparently are.

This isn't an Android-specific problem, however due to the fact that it's a network-level issue, it'll affect Android phones just the same as any other device that's browsing over O2's data network. For this reason, just about anything that connects via HTTP over O2's network could potentially access this information. For its part, O2 says it's "investigating" the issue, and while this is a big deal for O2 customers, the fact that this is a network-level problem should mean that a fix will be relatively quick and easy to deploy.

More: Lew.io; via: ThinkBroadband

Alex Dobie
Alex Dobie
Executive Editor

Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.

Read more
A statue of the multicolored "G" in Google on the Google campus in Mountain View
Google warns Android users of a zero-day software exploit causing instability
Google Pixel 9 Pro and Pixel 9 Pro XL angled view
Google's crucial February security patch for Pixels is here among other updates
Google Pixel 9 Pro in hand
Several Google Pixel series are struggling with major issues after March patch
Google Pixel 7a
Annoying reboot bug hits Pixel 7 owners on Android 16 beta
Google Messages blue logo
Google Messages addresses issues regarding media text failures in RCS chats
Android Auto coolwalk redesign
Android Auto's new update causes glitches for some users
Latest in Phones
POCO F7 Ultra back view on blue background with yellow colors next to it
POCO F7 Ultra review: The best bargain of 2025
The Samsung Galaxy S25 Edge on display
New leak shows off Samsung Galaxy S25 Edge in 'Titanium' variants
The back of the Obsidian Google Pixel 9 Pro
Some Pixel owners had a delayed start, thanks to alarm clock failures
Holding an Obsidian Google Pixel 9 Pro
That's not a typo — this Google Pixel 9 Pro deal from Amazon makes Black Friday look like a joke
Leaked image of a blue Galaxy Z Flip 7
New Galaxy Z Flip 7 case leak backs rumors of a larger cover display
Android Central's Lloyd sitting at a computer desk
Editor's Desk
Latest in News
The promotional image for Google Workspace feature drops.
The March Workspace feature drop upgrades Gemini's note-taking and translation tools
The Samsung Galaxy S25 Edge on display
New leak shows off Samsung Galaxy S25 Edge in 'Titanium' variants
YouTube Music home screen
YouTube Music's personalized radio stations are getting even smarter
The back of the Obsidian Google Pixel 9 Pro
Some Pixel owners had a delayed start, thanks to alarm clock failures
Samsung Galaxy S25 Ultra Home Screen - 16x9
Heads up — Samsung's detailed One UI 7 rollout schedule for Galaxy appears
The old Android logo at Google's Pier 57 building in New York City
Report claims Google may move to 'privately' develop Android's future
More about phones
The Samsung Galaxy S25 Edge on display

New leak shows off Samsung Galaxy S25 Edge in 'Titanium' variants
The back of the Obsidian Google Pixel 9 Pro

Some Pixel owners had a delayed start, thanks to alarm clock failures
POCO F7 Ultra back view on blue background with yellow colors next to it

POCO F7 Ultra review: The best bargain of 2025
See more latest