Vodacom exposing your number to every website you visit

Vodacom is providing information which uniquely identifies you as a subscriber to every website you visit while on its data network. This was revealed by an online tool created by security researcher Kenneth White.

Among the data Vodacom subscribers are inadvertently providing to web servers is their phone number and a unique identifier for their device called the IMEI/SV.

Recent media reports suggest that this data is being sent to web servers because Vodacom is modifying the web traffic of its subscribers.

In particular, it is injecting an additional hypertext transfer protocol (HTTP) header into the messages subscribers send to servers when requesting items such as web pages.

Tech-savvy Vodacom customers noticed and started reporting the issue after international publications picked up that Verizon, a mobile network in the United States, was sending websites a “permanent cookie”.

Verizon calls the technology “PrecisionID”, and refers to this “perma-cookie” (a string of many characters) as the Unique Identifier Header (UIDH).

Advertising industry reports say that PrecisionID was designed to help advertisers uniquely identify mobile subscribers to better target ads at them.

White said that, in the wake of the ad industry reports, he decided to develop a web page to let people check if they are sending out a UIDH.

After reading about PrecisionID, South Africans used White’s tool to test our mobile networks and were horrified to discover that Vodacom was sending out far more than just a random string of characters as a UIDH.

Testing South Africa’s mobile operators

Vodacom UID HTTP header test with do not track enabled

Our own testing with White’s web page suggests that Vodacom is the only mobile network in South Africa doing this.

Tests for most of the mobile broadband networks in South Africa were conducted using an Alcatel OneTouch W800Z USB modem which was plugged into a computer running Mozilla Firefox on Ubuntu.

Other devices were also used for testing, but to ensure uniformity we decided to use the above set-up for our main investigation.

No UIDH appeared to be injected on the Cell C HSPA+ network, MTN’s HSPA+ network, or Telkom’s HSPA+ network.

However, both Vodacom’s HSPA+ and LTE networks injected additional data into the HTTP headers. Most notably:

• X-UP–3GPP-IMEISV: IMEISV, IMEI/SV stands for International Mobile Station Equipment Identity and Software Version and is unique to your cellular device.
• X-UP–3GPP-SGSN-MCC-MNC: A number identifying which network the request is coming from. In this case, 65501 for Vodacom.
• X-UP-VODACOMGW-SUBID: A unique identifier for a subscriber. In Vodacom’s case, your cellphone number appears here. There are mentions of US operator AT&T using this field in its modified headers from as early as 2012. Unlike Vodacom, however, AT&T did not appear to use their subscriber’s phone numbers for the SUBID.
• X-UP-CALLING-LINE-ID: Your phone number (including country dialling code), included a second time.
• X-VF-ACR: A string of what appears to be Base 64 encoded data. Online reports suggest that this is injected by Vodafone networks all over the world.

Vodacom was asked for comment on why it is revealing subscribers’ phone numbers to web servers, but could not immediately provide answers.

A spokesperson for the operator explained that they were tracking down the relevant people in the company with knowledge of the matter and would respond as soon as they could.

Update: Please see Vodacom number leak update

More information security news

Top-secret South African satellite

Vodacom launches voice security access

New CIPC website exposes private information: complaint

FNB website exposed private information

Massive privacy, security flaw with Gautrain-linked site

Did SA government blow €2-million on spyware?