Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Just been doing some work on a mobile web application and just spotted that my mobile number is parsed via the http headers (header called - HTTP_X_UP_CALLING_LINE_ID). Have only tried an O2 sim, so no idea if it affects other networks, but it appears to be getting added via O2's proxy as the header doesn't show when using Opera (which proxies through its own server).
Did knock up a quick php script to dump the headers if anyone is interesting in looking - http://domslessor.co.uk/test.php
Surprised nothing has been mentioned in past about this though, as it's a good way to track people 
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Offline
|
You logging it? Got some Opera Mini specific lines relating to the handset.
No CLID though.
|
noshua
Member
Registered: 19th Nov 08
User status: Offline
|
Visited it on my phone and I didn't see the header you mentioned nor my phone number?
|
Toby
Premium Member
Registered: 29th Nov 05
User status: Offline
|
Always wondered how they could tell your on a mobile device. its mass that they can even tell what version of Android I'm running! Anyway of stopping it, it would be useful for some sites
|
Sam
Moderator
Premium Member
Registered: 24th Dec 99
Location: West Midlands
User status: Offline
|
It's quite easy to detect whether you are on a mobile or not via the user-agent string or something like WURFL.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
I get the header on Giffgaff (O2).
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
Get it on giffgaff but not orange.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
how do you get giffgaff to show up ed?
Is it a profile that makes voicemail work properly by any chance?
What a stupid iPhone function, being unable to change the voicemail number without a jailbroken phone.
|
Nismo
Member
Registered: 12th Sep 02
User status: Offline
|
Dom is also writing it all to a db 
This could be a good way of taking numbers for telesales on websites.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
quote:
Originally posted by John
how do you get giffgaff to show up ed?
Is it a profile that makes voicemail work properly by any chance?
What a stupid iPhone function, being unable to change the voicemail number without a jailbroken phone.
Nope, it's just Jailbroken with FakeOperator installed. I don't use voicemail so I'm glad to be rid of it, I know what you mean though - yet another stupid iPhone quirk.
[Edited on 25-01-2012 by ed]
|
Nismo
Member
Registered: 12th Sep 02
User status: Offline
|
wasnt working for me...
then i realised i was on the wifi 
yeah works now, this is pretty good as im working on a mobile app interface for our engineers and i can authenticate them by there CLID.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
I wouldn't use that for authentication. Piece of piss to modify your headers or use CURL to access your service with whatever parameters you like.
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
This is gaining traction, I can see it being turned off fairly quickly.
http://www.engadget.com/2012/01/25/o2-data-breach/
|
xa0s
Banned
Registered: 4th Mar 08
Location: Dartford, Kent Car: Turbo'd Fabia vRS
User status: Offline
|
fine on voda
|
Nismo
Member
Registered: 12th Sep 02
User status: Offline
|
yeah i just noticed it on some sites, it wont be around for long 
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote:
Originally posted by Nismo
Dom is also writing it all to a db
This could be a good way of taking numbers for telesales on websites.
Apparently someone mentioned this to O2 back in 2006 so i suspect plenty of websites are logging the data especially facebook and google.
Be interesting to see why O2 feel the need to inject your number into the headers, can't see any technical reason for doing it apart from tracking your web browsing habits.
Either way, using a proxy based browser like Opera (my default browser anyways) bypasses it.
Ian - Nope not logging, just dumping the $_SERVER and Header_List arrays to screen -
code:
<?php
foreach (headers_list() as $v) {
print "$v<br />";
}
print "<br />";
foreach ($_SERVER as $h => $v) {
print "$h: $v<br />";
}
|
Nismo
Member
Registered: 12th Sep 02
User status: Offline
|
Its on sky news now so i expect a facebook panic by everyone within the hour 
|
Nismo
Member
Registered: 12th Sep 02
User status: Offline
|
hmmm they have switched it off as it no longer works.
|
adiohead
Member
Registered: 28th Sep 01
User status: Offline
|
Fine using Opera.
EDIT - no probs on Safari
[Edited on 25-01-2012 by adiohead]
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
quote:
Originally posted by Nismo
hmmm they have switched it off as it no longer works.
Still showing here on doms link.
|
adiohead
Member
Registered: 28th Sep 01
User status: Offline
|
quote:
Originally posted by John
quote:
Originally posted by Nismo
hmmm they have switched it off as it no longer works.
Still showing here on doms link.
Maybe they haven't switched it off in Scotland yet
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
They're probably reconfiguring the proxies, hence why it works for some and not others.
Interesting response from O2 though -
quote:
.....The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device.
Has anyone tried via tethering (i'm assuming it wouldn't show)? Can't see it being a 'sure fire' way to determine if someone is tethering or not.
By the way, Lewis Peckover's (apparently the guy pedalling this) site - http://lew.io/headers.php
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
If it's going via their proxy and adding the CLID header there, then it ought to do it if you're tethered. However, I've got a little app on my phone which lets me spoof my user agent. Perhaps if it get's a non-mobile user agent, it thinks you're tethered? Will have to test...
Speaking of user agents, that response from O2 is pure bullshit and very typical of a company who doesn't respect their customers intelligence. You detect a mobile browser using the user agent string, not the presence of s special header they've 'accidentally' added in. Or you serve the same web page to mobile and desktop browsers and use CSS3 media queries to adjust the layout accordingly.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
(Header was removed just after wrote my reply so didn't have a chance to experiment )
|
