Today we found out that O2 had screwed up their mobile internet proxy settings quite epically and had sent customer phone numbers to millions of websites, worldwide, as a matter of process, presumably by accident.
We already know this from the fantastic investigative works of O2 customer and twitter user Lew Peckover, a 28 year old web systems administrator working in the field for 10 years.
To be able to downscale images, insert things into HTML pages etc. O2 must route your web queries through a HTTP proxy. As well as the things mentioned above, the proxy is adding an extra HTTP Header to outgoing requests. This header contains your mobile number.
Lew created a website to let people see this in action; let’s look at an example:
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3
Accept-Encoding: gzip, deflate
From the top line we can read information about the device and browser, from lines 2-4 we can read about how the phone is setup and what kind of content it likes to recieve and then, there it is, the header that contains your phone number.
As various MVNO‘s like Tesco and GiffGaff use O2’s technical backbone, they’re also affected, though it’s suspect that it’s not affecting all users.
So the big questions I can imagine people are asking now:
Who has my mobile number? Will I receive loads of nusiance calls? Does Facebook/Google/Microsoft/Your Mum have my mobile number?
Short answer: Theoretically any website one has visited recently on your O2 phone will have received it. They probably didn’t know they’d received it though and I suspect probably didn’t think to save it. I’d doubt that anyone will have acquired anyone’s phone number via this message, however, clearly it’s quite an epic security failure because the oppotunity for this happening is high.
Did this happen on purpose?
Short speculation: I highly doubt it. I suspect the issue occurred because O2 wants to track which customer is responsible for traffic as it goes into their land of HTTP proxies so I suspect they have a rule to use DPI to insert this header into each query – it’s an unique key that they can track to every customer. I suspect the way it’s supposed to work is that on the way out of their cluster of web proxies (doing censorship, image rescaling, etc) they should have a rule to remove the header and thus pass all the HTTP requests up to the internet unmodified. My suggestion is that someone probably misconfigured the rule to “look for this header and remove it”, probably by misspelling the rule they were looking for. It’s an easy sysadmin mistake to make.
Shouldn’t O2 have policies in place to deal prevent stuff like this?
Oh yes. I’m sure they do. I’m sure they have change control systems that I could write novels about. Stuff still slips through though. Was this preventable? Almost certainly, but only O2 knows for sure.
What are O2 saying about this?
Well, I’m sure we’re going to see a mediastorm, some big O2 apology and some PR theatre where someone apologies to 02 and twitter is awash with complaints.
However, currently, some numpty at O2 twitter support thought the following response would make sense:
Hi Lewis. The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device #O2Guru
No, you are not a guru. Lines 1-4 of the header do that. Look at line 5. Yep – there’s the issue.
Currently they’re saying it’s their “top priority” and they are “looking into it as we speak” aka they’re frantically paging technical guys and working out how to write the press release; basically the first few scenes of the PR theatre.
Update 1: And their announcement and that they fixed it – thanks MJ Ray.
What should O2 do?
Well, all they can do is fix it, try not to do it again and apologise profusely to their customers.
What’s the legal perspective?
I’m not a lawyer, however I think that the Information Commissioner’s Office should look into the incident with regards to compliance with the Data Protection Act 1998. The ICO should deal with the case as they see fit.
Is new legislation needed to prevent this from happening again?
No. This looks a lot like a technical mistake. In my opinion, the DPA covers this well enough and if anything should be given extra teeth, it should be the ICO in being able to investigate things like this.
How does this affect you, Tim?
Well, I’m not an O2 customer, but this could very well have been any mobile network carrier, anywhere in the world. I’m interested in how this will play out and obviously I’m concerned about the theoretical potential implications, even though personally, I think the actual risk, is relatively low. I’d be quite peed off if this had happened to me.
How can I check if it’s been fixed?
Visit this website on your phone. Do you see your mobile number at all? If yes, it’s still broken, if no, it’s fixed.