Friday, February 24, 2012

Mobile subscriber leakage in HTTP headers in the wild

At the end of January mobile phone company O2 admitted that because of a technical failure it had been leaking the mobile phone numbers of people who browsed using their phones on the O2 network. The phone numbers were being leaked to the web sites people visited.

On that day I set up logging on to see if the same thing happened again, and to gather information on in the wild leakage of phone numbers in HTTP headers. The bottom line is that in a month of gathering data I've seen phone numbers sent to my server likely without the person browsing knowing.

The most common headers I've seen are MSISDN and X-MSISDN. Both seem to contain the phone's MSISDN (i.e number). About 1 in every 22,000 visits to the site had the MSISDN header in it with something that looked like a valid phone number.

Another common header was X-UP-SUBNO which AT&T apparently adds. This contains a unique identifier for the subscriber. A typical X-UP-SUBNO in my log files looks like: T_ILL_CHI_1311xxxxxx00010xxxxxxx or T_DLS_DFW_1283xxxxxx00010xxxxxxx (I have replaced some numbers with x to preserve the visitor's privacy). About 1 in every 3,000 visits to had a unique AT&T identifier in it. This doesn't appear to be the phone number.

One mobile visitor in the last month had headers called X-UP-SUBSCRIBER-COS, X-OPWV-DDM-HTTPMISCDD, X-OPWV-DDM-IDENTITY, X-OPWV-DDM-SUBSCRIBER. Between them they were full of base 64 encoded data containing details of what appeared to be the plans the subscriber was on (mobileGenericPlan, Vodacom, mobilePushEnabledPlan). And there were a variety of identifiers for the subscriber, device and 'station id'.

Then there were a bunch of headers apparently added by Sprint PCS containing a CLIENTID encoded with base 64. And Vodafone seemed to be injecting big chunks of base64 in an X-VF-ACR header.

It's hard to see why these headers should be sent all the way to the origin web server.

PS While looking at the headers the most WTF I came across were the headers X_MTI_USERNAME, X_MTI_EMAIL and X_MTI_EMPID which appeared to be giving the username, email address and employee ID(?) of someone at a company called Meyer Tool.

No comments: