corsasport.co.uk
 

Corsa Sport » Message Board » Off Day » Geek Day » Mobile Web Leaks Number in Headers


New Topic

New Poll
  <<  1    2  >> Subscribe | Add to Favourites

You are not logged in and may not post or reply to messages. Please log in or create a new account or mail us about fixing an existing one - register@corsasport.co.uk

There are also many more features available when you are logged in such as private messages, buddy list, location services, post search and more.


Author Mobile Web Leaks Number in Headers
Dom
Member

Registered: 13th Sep 03
User status: Offline
25th Jan 12 at 01:53   View User's Profile U2U Member Reply With Quote

Just been doing some work on a mobile web application and just spotted that my mobile number is parsed via the http headers (header called - HTTP_X_UP_CALLING_LINE_ID). Have only tried an O2 sim, so no idea if it affects other networks, but it appears to be getting added via O2's proxy as the header doesn't show when using Opera (which proxies through its own server).

Did knock up a quick php script to dump the headers if anyone is interesting in looking - http://domslessor.co.uk/test.php

Surprised nothing has been mentioned in past about this though, as it's a good way to track people
Ian
Site Administrator

Avatar

Registered: 28th Aug 99
Location: Liverpool
User status: Offline
25th Jan 12 at 02:30   View Garage View User's Profile U2U Member Reply With Quote

You logging it? Got some Opera Mini specific lines relating to the handset.

No CLID though.
noshua
Member

Registered: 19th Nov 08
User status: Offline
25th Jan 12 at 03:22   View User's Profile U2U Member Reply With Quote

Visited it on my phone and I didn't see the header you mentioned nor my phone number?
Toby
Premium Member

Avatar

Registered: 29th Nov 05
User status: Offline
25th Jan 12 at 06:52   View Garage View User's Profile U2U Member Reply With Quote

Always wondered how they could tell your on a mobile device. its mass that they can even tell what version of Android I'm running! Anyway of stopping it, it would be useful for some sites
Sam
Moderator
Premium Member


Registered: 24th Dec 99
Location: West Midlands
User status: Offline
25th Jan 12 at 07:07   View User's Profile U2U Member Reply With Quote

It's quite easy to detect whether you are on a mobile or not via the user-agent string or something like WURFL.
ed
Member

Registered: 10th Sep 03
User status: Offline
25th Jan 12 at 09:10   View User's Profile U2U Member Reply With Quote

I get the header on Giffgaff (O2).
John
Member

Registered: 30th Jun 03
User status: Offline
25th Jan 12 at 09:13   View User's Profile U2U Member Reply With Quote

Get it on giffgaff but not orange.
ed
Member

Registered: 10th Sep 03
User status: Offline
25th Jan 12 at 09:19   View User's Profile U2U Member Reply With Quote

John
Member

Registered: 30th Jun 03
User status: Offline
25th Jan 12 at 09:27   View User's Profile U2U Member Reply With Quote

how do you get giffgaff to show up ed?

Is it a profile that makes voicemail work properly by any chance?

What a stupid iPhone function, being unable to change the voicemail number without a jailbroken phone.
Nismo
Member

Registered: 12th Sep 02
User status: Offline
25th Jan 12 at 09:28   View User's Profile U2U Member Reply With Quote

Dom is also writing it all to a db

This could be a good way of taking numbers for telesales on websites.
ed
Member

Registered: 10th Sep 03
User status: Offline
25th Jan 12 at 09:30   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by John
how do you get giffgaff to show up ed?

Is it a profile that makes voicemail work properly by any chance?

What a stupid iPhone function, being unable to change the voicemail number without a jailbroken phone.

Nope, it's just Jailbroken with FakeOperator installed. I don't use voicemail so I'm glad to be rid of it, I know what you mean though - yet another stupid iPhone quirk.

[Edited on 25-01-2012 by ed]
Nismo
Member

Registered: 12th Sep 02
User status: Offline
25th Jan 12 at 09:42   View User's Profile U2U Member Reply With Quote

wasnt working for me...

then i realised i was on the wifi

yeah works now, this is pretty good as im working on a mobile app interface for our engineers and i can authenticate them by there CLID.
ed
Member

Registered: 10th Sep 03
User status: Offline
25th Jan 12 at 10:05   View User's Profile U2U Member Reply With Quote

I wouldn't use that for authentication. Piece of piss to modify your headers or use CURL to access your service with whatever parameters you like.
John
Member

Registered: 30th Jun 03
User status: Offline
25th Jan 12 at 10:53   View User's Profile U2U Member Reply With Quote

This is gaining traction, I can see it being turned off fairly quickly.

http://www.engadget.com/2012/01/25/o2-data-breach/
xa0s
Banned

Registered: 4th Mar 08
Location: Dartford, Kent Car: Turbo'd Fabia vRS
User status: Offline
25th Jan 12 at 11:13   View User's Profile U2U Member Reply With Quote

fine on voda
Nismo
Member

Registered: 12th Sep 02
User status: Offline
25th Jan 12 at 11:32   View User's Profile U2U Member Reply With Quote

yeah i just noticed it on some sites, it wont be around for long
Dom
Member

Registered: 13th Sep 03
User status: Offline
25th Jan 12 at 12:25   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Nismo
Dom is also writing it all to a db

This could be a good way of taking numbers for telesales on websites.


Apparently someone mentioned this to O2 back in 2006 so i suspect plenty of websites are logging the data especially facebook and google.
Be interesting to see why O2 feel the need to inject your number into the headers, can't see any technical reason for doing it apart from tracking your web browsing habits.

Either way, using a proxy based browser like Opera (my default browser anyways) bypasses it.


Ian - Nope not logging, just dumping the $_SERVER and Header_List arrays to screen -
code:

<?php
foreach (headers_list() as $v) {
print "$v<br />";
}
print "<br />";
foreach ($_SERVER as $h => $v) {
print "$h: $v<br />";
}

Nismo
Member

Registered: 12th Sep 02
User status: Offline
25th Jan 12 at 12:36   View User's Profile U2U Member Reply With Quote

Its on sky news now so i expect a facebook panic by everyone within the hour
Nismo
Member

Registered: 12th Sep 02
User status: Offline
25th Jan 12 at 12:39   View User's Profile U2U Member Reply With Quote

hmmm they have switched it off as it no longer works.
adiohead
Member

Registered: 28th Sep 01
User status: Offline
25th Jan 12 at 12:41   View User's Profile U2U Member Reply With Quote

Fine using Opera.

EDIT - no probs on Safari


[Edited on 25-01-2012 by adiohead]
John
Member

Registered: 30th Jun 03
User status: Offline
25th Jan 12 at 12:41   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Nismo
hmmm they have switched it off as it no longer works.


Still showing here on doms link.
adiohead
Member

Registered: 28th Sep 01
User status: Offline
25th Jan 12 at 12:44   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by John
quote:
Originally posted by Nismo
hmmm they have switched it off as it no longer works.


Still showing here on doms link.


Maybe they haven't switched it off in Scotland yet
Dom
Member

Registered: 13th Sep 03
User status: Offline
25th Jan 12 at 12:56   View User's Profile U2U Member Reply With Quote

They're probably reconfiguring the proxies, hence why it works for some and not others.

Interesting response from O2 though -
quote:

.....The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device.



Has anyone tried via tethering (i'm assuming it wouldn't show)? Can't see it being a 'sure fire' way to determine if someone is tethering or not.

By the way, Lewis Peckover's (apparently the guy pedalling this) site - http://lew.io/headers.php
ed
Member

Registered: 10th Sep 03
User status: Offline
25th Jan 12 at 13:02   View User's Profile U2U Member Reply With Quote

If it's going via their proxy and adding the CLID header there, then it ought to do it if you're tethered. However, I've got a little app on my phone which lets me spoof my user agent. Perhaps if it get's a non-mobile user agent, it thinks you're tethered? Will have to test...

Speaking of user agents, that response from O2 is pure bullshit and very typical of a company who doesn't respect their customers intelligence. You detect a mobile browser using the user agent string, not the presence of s special header they've 'accidentally' added in. Or you serve the same web page to mobile and desktop browsers and use CSS3 media queries to adjust the layout accordingly.
ed
Member

Registered: 10th Sep 03
User status: Offline
25th Jan 12 at 13:05   View User's Profile U2U Member Reply With Quote

(Header was removed just after wrote my reply so didn't have a chance to experiment )

  <<  1    2  >>
New Topic

New Poll

  Related Threads Author Forum Replies Views Last Post
transferring mobile number flame1987 Geek Day 3 696
30th Aug 07 at 21:05
by scottyp1989
 
Tweaking Settings (Fans + OC) Doug Geek Day 8 201
19th Jun 08 at 19:29
by Russ
 
Using a HTC Magic on O2? Doug Geek Day 2 865
29th Jun 09 at 00:17
by noshua
 
facebook mobile corsa.v6 Geek Day 17 495
27th Dec 09 at 23:25
by Nic Barnes
 

Corsa Sport » Message Board » Off Day » Geek Day » Mobile Web Leaks Number in Headers 28 database queries in 0.0175259 seconds