Tinyhack.com

Your Phone Number Might Get Leaked While Browsing With Your Cellphone

I Just moved my web hosting to hostmonster, and I use my cell phone (Nokia E61) to try out the speed because I am planning to create a mobile version for my other site (http://www.compactbyte.com), and to my surprise, I see My Phone Number when checking the site configuration using phpinfo().

The phone number (complete with the country code) is included on the request HTTP_USER_IDENTITY_FORWARD_MSISDN. it seems that my mobile carrier (XL) uses Huawei Technologies Gateway. I know the gateway from the value of HTTP_VIA Which says: "(InfoX WAP Gateway), HTTP/1.1, Huawei Technologies", and the existence of HTTP_X_HUAWEI_NASIP that says my private (internal) IP address.


How can this happen? This happens because of a combination of a lot of things. First: this is because I have set a proxy in my Access Point setting. Well actually I didn’t set the proxy manually, but it was automatically set by the setup wizard. There are other ways to set up your access point: by asking for a configuration to be sent through SMS (which will give you the exact same settings, including the proxy), or by manual configuration.

So you have a proxy, big deal, this shouldn’t be a problem. But the second element that gives trouble is that: the default web browser uses the proxy settings defined in the access point. You might say that they should use the proxy defined in the access point setting (after all what does it do if you don’t use it). But unfortunately, the proxy itself has a problem.

The problem is that the proxy was meant to be used by WAP browsers. WAP 1.0 must use a proxy to connect to the Internet, but WAP 2.0 doesn’t need a proxy at all. The setting wizard and the SMS configuration assume that you will need a proxy. Since this proxy is now used not only by WAP browser but also by a Web browser, the proxy must support both protocols. Supporting both protocols is fine if it was properly set.
The third part of the combination that causes the problem is that: the proxy is not properly configured. Some people had the idea of sending phone numbers to WAP Sites for billing purpose using HTTP headers. This is actually not a bad idea, but the problem is that it should only send the phone numbers to predefined WAP sites (sites that has a deal with the mobile carrier). The proxy has been misconfigured in because It sends phone numbers to any sites on the Internet. For WAP 1.0, the proxy can actually detect if the request is for WAP or HTTP, but since WAP 2.0 uses a direct HTTP request, the proxy can not differentiate the request.
My phone number will not be leaked if I do one or both of these things:

Other mobile carriers may leak your phone number in different ways. I have created a script, that you can use to test this leak at http://www.tinyhack.com/check.php that will show the HTTP headers this server received. If you try to browse using your phone and you see your phone number there, then you’re in trouble. Imagine you get a call from a marketer when you visit their site, not very funny isn’t it?.

What scares me is that a wrong setup in a mobile carrier can make your phone number to be visible to the outside world. Imagine if my provider uses a transparent proxy, then it doesn’t matter if I use opera, the default web browser, or even my computer, my phone number will still be visible. If that happens, I have to use an anonymizing proxy (with the hope that they will strip those headers) or use Opera Mini (which is a bit limited for some purpose).

Exit mobile version