Vodacom exposing your number to every website you visit

HTTP headers are being injected into requests you send to web servers

By - October 29, 2014 Share on LinkedIn
Cellphone privacy booth

Vodacom is providing information which uniquely identifies you as a subscriber to every website you visit while on its data network. This was revealed by an online tool created by security researcher Kenneth White.

Among the data Vodacom subscribers are inadvertently providing to web servers is their phone number and a unique identifier for their device called the IMEI/SV.

Recent media reports suggest that this data is being sent to web servers because Vodacom is modifying the web traffic of its subscribers.

In particular, it is injecting an additional hypertext transfer protocol (HTTP) header into the messages subscribers send to servers when requesting items such as web pages.

Tech-savvy Vodacom customers noticed and started reporting the issue after international publications picked up that Verizon, a mobile network in the United States, was sending websites a “permanent cookie”.

Verizon calls the technology “PrecisionID”, and refers to this “perma-cookie” (a string of many characters) as the Unique Identifier Header (UIDH).

Advertising industry reports say that PrecisionID was designed to help advertisers uniquely identify mobile subscribers to better target ads at them.

White said that, in the wake of the ad industry reports, he decided to develop a web page to let people check if they are sending out a UIDH.

After reading about PrecisionID, South Africans used White’s tool to test our mobile networks and were horrified to discover that Vodacom was sending out far more than just a random string of characters as a UIDH.

Testing South Africa’s mobile operators

Vodacom UID HTTP header test with do not track enabled

Vodacom UID HTTP header test with do not track enabled

Our own testing with White’s web page suggests that Vodacom is the only mobile network in South Africa doing this.

Tests for most of the mobile broadband networks in South Africa were conducted using an Alcatel OneTouch W800Z USB modem which was plugged into a computer running Mozilla Firefox on Ubuntu.

Other devices were also used for testing, but to ensure uniformity we decided to use the above set-up for our main investigation.

No UIDH appeared to be injected on the Cell C HSPA+ network, MTN’s HSPA+ network, or Telkom’s HSPA+ network.

However, both Vodacom’s HSPA+ and LTE networks injected additional data into the HTTP headers. Most notably:

  • X-UP–3GPP-IMEISV: IMEISV, IMEI/SV stands for International Mobile Station Equipment Identity and Software Version and is unique to your cellular device.
  • X-UP–3GPP-SGSN-MCC-MNC: A number identifying which network the request is coming from. In this case, 65501 for Vodacom.
  • X-UP-VODACOMGW-SUBID: A unique identifier for a subscriber. In Vodacom’s case, your cellphone number appears here. There are mentions of US operator AT&T using this field in its modified headers from as early as 2012. Unlike Vodacom, however, AT&T did not appear to use their subscriber’s phone numbers for the SUBID.
  • X-UP-CALLING-LINE-ID: Your phone number (including country dialling code), included a second time.
  • X-VF-ACR: A string of what appears to be Base 64 encoded data. Online reports suggest that this is injected by Vodafone networks all over the world.

Vodacom was asked for comment on why it is revealing subscribers’ phone numbers to web servers, but could not immediately provide answers.

A spokesperson for the operator explained that they were tracking down the relevant people in the company with knowledge of the matter and would respond as soon as they could.

Update: Please see Vodacom number leak update

Top-secret South African satellite

Vodacom launches voice security access

New CIPC website exposes private information: complaint

FNB website exposed private information

Massive privacy, security flaw with Gautrain-linked site

Did SA government blow €2-million on spyware?

Share your thoughts

Join the conversation

Connect with Us



Do you think online gambling should be regulated in South Africa?

View Results

Loading ... Loading ...

More News

Jacob Zuma to review wives’ car benefits

Range Rover

President Jacob Zuma will be reviewing the transport benefits of his wives, and those of former presidents and deputy presidents.

This is what the new Windows Explorer icon looks like

Windows 10 logo

Microsoft has changed the File Explorer icon in its latest preview build of Windows 10.

Behind the scenes at a Ster-Kinekor IMAX theatre – photos

Ster-Kinekor Imax Eastgate entrance

This is what it looks like inside the projection booth at a Ster-Kinekor IMAX theatre.

Watch out for this new Windows ransomware

Windows logo

An alert from Microsoft warns Windows users about a new ransomware called Ransom:Win32/ZCryptor.A.


Newsletter Subscription

Email *
Enter the following to confirm your subscription *
Captcha image

Free MyBroadband Newsletter