Vodacom exposing your number to every website you visit

HTTP headers are being injected into requests you send to web servers

By - October 29, 2014 Share on LinkedIn
Cellphone privacy booth

Vodacom is providing information which uniquely identifies you as a subscriber to every website you visit while on its data network. This was revealed by an online tool created by security researcher Kenneth White.

Among the data Vodacom subscribers are inadvertently providing to web servers is their phone number and a unique identifier for their device called the IMEI/SV.

Recent media reports suggest that this data is being sent to web servers because Vodacom is modifying the web traffic of its subscribers.

In particular, it is injecting an additional hypertext transfer protocol (HTTP) header into the messages subscribers send to servers when requesting items such as web pages.

Tech-savvy Vodacom customers noticed and started reporting the issue after international publications picked up that Verizon, a mobile network in the United States, was sending websites a “permanent cookie”.

Verizon calls the technology “PrecisionID”, and refers to this “perma-cookie” (a string of many characters) as the Unique Identifier Header (UIDH).

Advertising industry reports say that PrecisionID was designed to help advertisers uniquely identify mobile subscribers to better target ads at them.

White said that, in the wake of the ad industry reports, he decided to develop a web page to let people check if they are sending out a UIDH.

After reading about PrecisionID, South Africans used White’s tool to test our mobile networks and were horrified to discover that Vodacom was sending out far more than just a random string of characters as a UIDH.

Testing South Africa’s mobile operators

Vodacom UID HTTP header test with do not track enabled

Vodacom UID HTTP header test with do not track enabled

Our own testing with White’s web page suggests that Vodacom is the only mobile network in South Africa doing this.

Tests for most of the mobile broadband networks in South Africa were conducted using an Alcatel OneTouch W800Z USB modem which was plugged into a computer running Mozilla Firefox on Ubuntu.

Other devices were also used for testing, but to ensure uniformity we decided to use the above set-up for our main investigation.

No UIDH appeared to be injected on the Cell C HSPA+ network, MTN’s HSPA+ network, or Telkom’s HSPA+ network.

However, both Vodacom’s HSPA+ and LTE networks injected additional data into the HTTP headers. Most notably:

  • X-UP–3GPP-IMEISV: IMEISV, IMEI/SV stands for International Mobile Station Equipment Identity and Software Version and is unique to your cellular device.
  • X-UP–3GPP-SGSN-MCC-MNC: A number identifying which network the request is coming from. In this case, 65501 for Vodacom.
  • X-UP-VODACOMGW-SUBID: A unique identifier for a subscriber. In Vodacom’s case, your cellphone number appears here. There are mentions of US operator AT&T using this field in its modified headers from as early as 2012. Unlike Vodacom, however, AT&T did not appear to use their subscriber’s phone numbers for the SUBID.
  • X-UP-CALLING-LINE-ID: Your phone number (including country dialling code), included a second time.
  • X-VF-ACR: A string of what appears to be Base 64 encoded data. Online reports suggest that this is injected by Vodafone networks all over the world.

Vodacom was asked for comment on why it is revealing subscribers’ phone numbers to web servers, but could not immediately provide answers.

A spokesperson for the operator explained that they were tracking down the relevant people in the company with knowledge of the matter and would respond as soon as they could.

Update: Please see Vodacom number leak update

Top-secret South African satellite

Vodacom launches voice security access

New CIPC website exposes private information: complaint

FNB website exposed private information

Massive privacy, security flaw with Gautrain-linked site

Did SA government blow €2-million on spyware?

Share your thoughts

Join the conversation

Connect with Us

androidappletwitterfacebookgoogleplusfeednewsletter

Poll

What is your primary source of Internet connectivity at home?

View Results

Loading ... Loading ...

More News

Top PC brands in South Africa 2016

Dell laptop

MyBroadband’s 2016 Technology Survey has revealed the top PC and component brands among South African techies.

Top 10 global Twitter conversations of 2016

Twitter on phone

Twitter has released its top conversations of the year, which include the Rio Olympics and the US elections.

Jacob Zuma is not getting a salary increase this year

Jacob Zuma South Africa flag

President Jacob Zuma has affirmed the recommendation not to increase the salaries of public office bearers for the 2016/17 financial year.

Why certain iPhone 6s batteries failed

Apple iPhone 6S unboxing

Apple said it has discovered why the batteries in certain iPhone 6s smartphones failed.

Free MyBroadband Newsletter
×