When mobile users surf the Web they also may be inadvertently disclosing their phone numbers, a security researcher said Thursday.
The problem lies in the way that some networks are reformatting Web data on what are known as proxy servers, which are used to help Web sites display properly on the tiny screens of some phones. According to Collin Mulliner, a graduate student at the Technische Universitat Berlin, some operators are reformatting Web data they send to Web sites too, and adding sensitive customer information, such as phone numbers, which can then be logged by Web publishers.
Mulliner, a self-described mobile phone hacker, discovered the problem by reviewing his personal site’s Web server logs and studying a large number of HTTP (Hypertext Transfer Protocol) headers from mobile carriers.
In a talk at the CanSecWest conference in Vancouver, Mulliner said that he found data that could be used to identify users in some mobile Web traffic sent by large carrier such as the U.K.’s Orange and Canada’s Rogers Wireless. This information sometimes included unique identifiers such as the International Mobile Subscriber Identity number, customer account numbers and — most troubling — the actual mobile phone numbers.
“This is a pretty nice way to track mobile phone numbers,” Mulliner said.
Mulliner does not know why carriers are adding this information to mobile proxy Web requests, but he said it’s a bad practice.
Neither Orange nor Rogers Wireless immediately responded to requests for comment.
In some countries, it’s possible to do reverse lookups of mobile phone numbers, so a Web operator could mine this header information and use it to profile visitors without their knowledge. “You can actually check out who is visiting your Web site,” he said. “Phone numbers are way more personal than your e-mail address.”
The issue primarily affects “medium price-ranged” phones that need a Web proxy to reformat Web pages for their smaller displays. Modern smartphones such as the iPhone or Android do not require this.
For people who worry that their phone may be vulnerable to this problem, Mulliner has set up a Web page that tests for data leakage and reports the HTTP headers it finds. The Web page turns red if it finds a phone number, green if everything seems normal.
Mulliner promises not to save any of the data from these tests.