• You are losing out on amazing benefits because you are not a member. Join for free. Register now.
  • Big Two-Day Giveaway - Win an Amazon Kindle, a Mystery Gadget and Branded Gear. Enter Here.
  • Test your broadband speed and win prizes worth R5,000. Enter here.

Vodacom is sharing my number with every site I visit from my phone

Joined
Jan 26, 2012
Messages
24
#1
Moved from this thread: http://mybroadband.co.za/vb/showthr...smitted-when-browsing-the-Internet?styleid=28 as per Elimentals recommendation

I have found that my phone shares details about me to every site I visit.

I am with Vodacom and have a Samsung Galaxy sII. Strangely it only does it if I browse from native browser.

Either way I set up my own little test which includes MXIT user id which seems to also be the users phone number (not tested please let me know if you have MXIT): http://jeffsdigitalkitchen.co.za/phonetest/

I also wrote a blog post about it here: http://www.jeffsdigitalkitchen.co.za/cellular-privacy/

I also found a document of previous user information collected by a South African website which contains a lot of user data include a ton of phone numbers: http://wap.defza.com/ua/ua.txt

Looking at this you can see that it is pretty much only be Vodacom contract phones. Except for the MXIT data that does not seem to be network specific.

Does anyone know if this is legal? I shouldn't think it is to be honest.
 
Joined
Jan 26, 2012
Messages
24
#2
OK so I have been running some more tests. It seems to only be happening to a a few accounts. So far the pattern is Android devices with Vodacom contracts (mobileGenericPlan,Vodacom,mobilePushEnabledPlan) or something along those lines. Like I said before I only get it when I use my native browser.In fact in my testing so far it is limited to Galaxy s2 handsets.
 
F

Fudzy

Guest
#3
Doesn't do it on my HTC Desire. Oh and I'm on MTN just to further prove it being just a Vodacom thing.
 
Joined
Jan 26, 2012
Messages
24
#5
OK Have had a Blackberry Torch and an older Nokia Symbian device run the test. Both returned their numbers both Vodacom contracts.
 

mike156

Senior Member
Joined
Oct 4, 2011
Messages
600
#6
vodacom topup with galaxy s- no visible user information besides phone model and operating system with native browser.
 
Joined
Jan 26, 2012
Messages
24
#7
Got an HTC Desire with a Vodacom contract posting the number too. Still no response on whether this is legal?
 

Edduck

Expert Member
Joined
May 20, 2009
Messages
1,227
#9
are you sure you don't have some sort of autofill feature which could be propagated from your phone settings or even online via a google/facebook account?

Have you tried clearing all history, cookies and browser autofill history?
 

PsyWulf

Executive Member
Joined
Nov 22, 2006
Messages
8,151
#11
are you sure you don't have some sort of autofill feature which could be propagated from your phone settings or even online via a google/facebook account?

Have you tried clearing all history, cookies and browser autofill history?
From what I can ascertain the information is passed in the headers,not a form(submit) block
 
Joined
Jan 26, 2012
Messages
24
#12
are you sure you don't have some sort of autofill feature which could be propagated from your phone settings or even online via a google/facebook account?

Have you tried clearing all history, cookies and browser autofill history?
Definitely passed thorough the headers. That is how I am extracting it with php, I am asking for the header information. For some reason it does not do it when I use Firefox. So that is my quick fix solution for now.
 

JAV

Well-Known Member
Joined
Mar 1, 2008
Messages
138
#13
From what I can ascertain the information is passed in the headers,not a form(submit) block
Definitely passed in the headers. Checked with a Samsung GS2, but what's weird is it seems to be only passed by the native browser when the VC proxy is used. Turn off the proxy, headers gone. Also checked with Dolphin browser and no such headers are set with or without VC proxy.

Tethered via usb, checked with pc and no headers.

So must be the combo of native browser and VC proxy...
 
Joined
Jan 26, 2012
Messages
24
#14
So must be the combo of native browser and VC proxy...
Yes this is what I have found with my testing so far. This is not exclusively a Android thing though as I have tested an older Nokia symbian that did it, a blackberry torch and a HTC Desire (although this is also android). I'm just not sure if Vodacom is putting the headers in but some software (OS or Browsers or whatever) is stripping it, or if Vodacom is supposed to be stripping this information and is struggling in some cases to do so. I think its the former though.
 

JAV

Well-Known Member
Joined
Mar 1, 2008
Messages
138
#15
Just thought of something...

The older sims, when you got the package with the sim, the cell number was printed on the packaging. With the new packs, the number is only assigned to the sim after it is activated.

Now what i was thinking, maybe on the older sim cards the actual cell number was "programmed" into the sim, hence why the phone - and browser - could retrieve the number and thus send it as a header. The newer sims don't have this, and thus the device cannot set these headers.

Could be the reason why some are reporting the number and others not.

Doesn't explain the proxy phenomenon though... :confused:
 
Last edited:

tnero

Active Member
Joined
Feb 24, 2011
Messages
56
#17
http://www.theregister.co.uk/2012/01/25/o2_number_sharing/


Why O2 shared your mobile number with the world

And why they'll probably do similar again
By Bill Ray • Get more from this author

Posted in Mobile, 25th January 2012 17:14*GMT
O2 has been sharing customers' phone numbers with every website they visited, but O2 isn't the only offender - it's just the one that slipped up and got caught.

The Information Commissioner will investigate, and O2 will be told it should be more careful in future. Punters will be outraged but actually suffer very little as few websites collect unknown HTTP headers like the one in which mobile numbers were embedded. O2 has provided a simplified FAQ, which explains almost nothing - specifically what the operator might do to prevent such a thing happening again.

To understand how, and why, O2 started leaking customer data one has to realise that mobile networks are very unlike their fixed contemporaries, that they routinely interfere with the web pages sent and received over data connections, and that if they didn't the UK government would step in and force them to do so.

Delivering customer phone numbers to every website, in the HTTP headers, wasn't a deliberate policy nor some form of conspiracy, just a badly configured proxy that should have removed the data before it left the company's network. Adding the information wasn't the mistake, failing to take it away is what caused the problem.

How it happened
Mobile web browsing is different from fixed browsing for one important reason - the network can absolutely, and securely, identify the customer from the SIM card, which opens up lots of opportunities unavailable to fixed ISPs. Once the customer has been identified then services can be automatically billed to that user, allowing seamless payments, and privileged information (such as billing or customer care) can be displayed without needing passwords or user names, most of which is genuinely very useful.

A mobile phone can't append its number to web requests: most mobile phones don’t know their own number, and even if they did they couldn't be trusted, so the network identifies the user in communication with the SIM, then appends that information to the HTTP headers for use by other servers within the operator's network.

There's no standard way of doing that. Back in 2010 researchers in Germany found the same information in about 20 different HTTP headers [PDF], sometimes replicated by different systems within one operator's network (two different routers adding the same information, under a different name, entirely unaware of each others' existence).
 

jannievanzyl

Telecoms expert
Joined
Jun 14, 2009
Messages
4,862
#18
I've tested on a number of handsets / contract types. So far can't reproduce this.

1. Galaxy Note on VC contract
2. Galaxy SII on VC contract
3. Galaxy Y-Pro on VC prepaid
4. IPhone 4 on VC contract
5. BB 9700 on VC Topup

All of the above on native OS browsers
 
Last edited:
Joined
Jan 26, 2012
Messages
24
#19
OK I have been reading around and found a tantalising little research paper from Germany which attempts to explain how this happens. http://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf It says a lot of interesting stuff and is worth a read but I particularly wanted to share this picture with you.



So what these guys are saying is that the data is added when the signal passes through the WAP/HTTP Gateway/Proxy on Vodacom's side. They also note a significantly high occurrence in South Africa within their results.
 

ColinR

Expert Member
Joined
Aug 24, 2006
Messages
3,751
#20
It is based on whether you are using the Vodacom proxy server or not. The proxy server adds the MSISDN to the headers. I know Vodacom4me used the information at one stage to identify you.
I've not tried it on my current phone, but about 4 years ago on my Nokia - I could see my number.
 
Top