Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Looks like Nokia Dev site has an article from 2002 and it looks like other networks do this as well - http://www.mulliner.org/security/feed/random_tales_mobile_hacker.pdf
Ed - Yup, not showing here either now.
[Edited on 25-01-2012 by Dom]
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
Not showing on mine either.
How will they explain this one do you think?
They obviously think it's a bit sneaky if it's been removed so quickly.
|
adiohead
Member
Registered: 28th Sep 01
User status: Offline
|
quote:
Originally posted by Dom
Looks like Nokia Dev site has an article from 2002 and it looks like other networks do this as well - http://www.mulliner.org/security/feed/random_tales_mobile_hacker.pdf
Ed - Yup, not showing here either now.
[Edited on 25-01-2012 by Dom]
that's the site I was using to check
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Don't think they can, certainly it's a load of bollocks if they try and say it was used for tethering detection; as Ed mentioned, user-agent header is used for that. Only reason I can see for it is to track a users browsing habit.
O2 doesn't appear to be the only network that 'leaks' this type of data though (just look at the PDF i posted).
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
"Routine maintenance that went wrong" - ORLY
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Reeks of BS  And i bet they've been injecting customers mobile numbers into the headers for a lot longer than 2 weeks.
Has anyone tried on orange? That PDF lists Orange UK as injecting 'funky' headers.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
I want to figure out a way of doing some experiments on this. Just need Ian to left me put a 'blank.gif' somewhere on here 
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Just been reading that O2 apparently used it for tracking/billing customers on stores, so it's probably still active on their network and then obviously stripped on the outbound proxies.
Just wondering what would happen if you injected that header into HTTP requests (with another users number) and whether or not you could gain access to unauthorised areas of the network like billing or download music and get it charged to another account. Food for thought
|
Russ
Member
Registered: 14th Mar 04
Location: Armchair
User status: Offline
|
http://www.thinkbroadband.com/news/4990-o2-shares-your-mobile-phone-number-with-every-website-you-visit.html
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
Wow this is terrible iv also just found out when I ring someone my number appears on there screen 
[Edited on 28-01-2012 by Steve]
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
You have the option to withhold the number and you know who you're calling. Anyone with half an ounce of sense could quickly send you an e-mail and gain your phone number without your permission then use it for a phishing scam, especially as some of the operators in the PDF Dom shared are also bundling things that look like your customer id e.t.c. in the headers.
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Offline
|
quote:
Originally posted by ed
Just need Ian to left me put a 'blank.gif' somewhere on here
Tell me what you need, I'm on for it.
I actually think its great news for me, if I had the list of headers I would log them all. Imagine having a trade complaint and getting a verified working contract phone number.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
Was just thinking something along the lines of:
<img src="https://static.ecscdn.net/logging/blank.gif" />
and blank.gif actually being:
code:
<?php
header('Content-Type: image/gif');
$req=serialise($_REQUEST);
mysql_query("INSERT INTO table (timestamp,request) VALUES (NOW(),$req)");
?>
Might need to be slightly different to that, but with that data you could make some interesting tables and graphs.
[Edited on 28-01-2012 by ed]
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Offline
|
To run on CS? Wouldn't even need to be that complicated, could just go in header.php which is included on every page.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
Was thinking of doing it that was as I could stick it on all the websites I manage, could be useful anyway to have a database of the data you get from the $_REQUEST array, or maybe just interesting in a geeky kind of way. Would be easier to get other people on board too if it was just a fake image/js file.
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Offline
|
I was just thinking about getting enough data to establish which headers are in use. Wouldn't want to log all of it for too long, a lot of it is duplicated or not relevant to an investigation.
|
pow
Premium Member
Registered: 11th Sep 06
Location: Hazlemere, Buckinghamshire
User status: Offline
|
Ummmmm... you learn something new every day. Fucked off they've been transmitting my mobile number though.
|
