29 August 2010

Orange Spain disclosing user phone number

I'm currently assessing how mobile operators modify and enrich HTTP headers. I´ve already analyzed the main operators in France, Germany, Italy, Spain and UK with very interesting results I´ll publish soon.

The focus of the study is double, first, check how users are identified when using mobile connections to browse the web and second, the modifications that the operators do to the HTTP headers like the User-Agent, Accept, Accept-Encoding...

Regarding user identification mobile operators will normally have two methods depending on the site that the user is accessing. For internal trusted sites they will add the user MSISDN (the phone number) in an HTTP header like x-up-calling-line-id, x-up-subno, x-nokia-msisdn or a proprietary one, while for the rest, and in order to protect user's identity, they will add a temporary ID instead. That will help the web site to track the user activity during a browsing session but will prevent the web site from fully identifying the user.

During the assessment I found that Orange Spain is adding the user MSISDN in any HTTP request sent in its network. This means that it is really simple to get the user phone number from an Orange Spain user. On one hand, I saw that Orange Spain uses the header x-up-calling-line-id to add a user temporary ID that changes every 24h but I also found that in any HTTP request they will add the user phone number in the header X-Network-info.

I copy below an example of the headers where I removed some information. In green there are the headers added by my crawler while in red you can see the extra headers added by the Orange Spain WAP Gateway:

TE: deflate,gzip;q=0.3
Accept: text/html, text/vnd.wap.wml, application/vnd.wap.html+xml, application/xhtml+xml, application/vnd.wap.xhtml+xml, text/x-wap.wml, text/x-hdml, text/vnd.sun.j2me.app-descriptor, application/java-archive, application/octet-stream, image/png, image/gif, image/jpg, image/jpeg, */*, text/x-vcard, text/x-vcalendar, image/vnd.wap.wbmpAccept-Charset: iso-8859-1,utf-8
Accept-Language: en-us,en;q=0.5
User-Agent: HeaderValidator/1.1
Content-length: 0
Via: WTP/1.1 nwg2 (Nokia WAP Gateway 4.1/CD21/4.1.116)
X-Network-info: CSD,34xxxxxxxxx,unsecured
X-Nokia-GATEWAY_ID: NWG/4.1/Build116
x-nokia.wia.accept.original: text/html,text/vnd.wap.wml,application/vnd.wap.html+xml,application/xhtml+xml,application/vnd.wap.xhtml+xml,text/x-wap.wml,text/x-hdml,text/vnd.sun.j2me.app-descriptor,application/java-archive,application/octet-stream,image/png,image/gif,image/jpg,image/jpeg,*/*,text/x-vCard,text/x-vCalendar,image/vnd.wap.wbmp
Connection: close

I notified Orange Spain more than a month ago regarding the misconfiguration and its effects on their own customers but unfortunately it is still there.

If you are a user of Orange Spain have in mind that every web site you access with your mobile phone will get your phone number. Don`t be surprised if you start receiving SMS SPAM or unsolicited calls!


  1. Anonymous30/8/10 14:45

    Already done some time ago, see http://www.mulliner.org/security/httpheaderprivacy.php

  2. notified Orange Spain more than a month ago regarding the misconfiguration and its effects on their own customers but unfortunately it is still there.

  3. i like this good site and more much

  4. Yes really a very nice and useful site i agree with you rashid

  5. Very nice site dear me also agreee

  6. Love your blog. Thanks for sharing this useful information.