We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
EE Privacy Leak
I have discovered that EE is using 'selective header enrichment' to send my phone number (MSISDN) to web sites I visit on my phone using my mobile data.
I don't know if this is intentional or an error on their part but when O2 did this in 2012 there was some backlash. https://nakedsecurity.sophos.com/2012/01/25/smartphone-website-telephone-number/
As well as privacy concerns, it means that if you accidentally click on an advert, an unscrupulous site could sign you up to a subscription.
There's a link in the article to check if your provider is sending your details, but the worrying thing about EE is that they don't seem to be doing it all the time.
I don't know if this is intentional or an error on their part but when O2 did this in 2012 there was some backlash. https://nakedsecurity.sophos.com/2012/01/25/smartphone-website-telephone-number/
As well as privacy concerns, it means that if you accidentally click on an advert, an unscrupulous site could sign you up to a subscription.
There's a link in the article to check if your provider is sending your details, but the worrying thing about EE is that they don't seem to be doing it all the time.
0
Comments
-
So, are you saying they only do it for certain sites ? Or is there another criteria? I would think it is more a function of the browser you use rather than the phone. Simple answer, use a third party browser instead of the one built in to the OS that the provider mayor may not modified.0
-
If you are concerned use https websites or a vpn as they can’t modify secure connections. You can also turn off 3rd party billing on your account.
Thread running on the EE forums still awaiting a response from the company:
https://community.ee.co.uk/t5/4G-and-mobile-data/Why-do-you-leak-my-phone-number-to-websites-when-browsing-on/m-p/650120/highlight/true
Must say if this turns out to be true I’ll be pretty annoyed as an EE subscriber.0 -
unforeseen wrote: »So, are you saying they only do it for certain sites ? Or is there another criteria? I would think it is more a function of the browser you use rather than the phone. Simple answer, use a third party browser instead of the one built in to the OS that the provider mayor may not modified.
I was thinking the same thing, surely this is down to the browser, not the carrier?0 -
Colin_Maybe wrote: »I was thinking the same thing, surely this is down to the browser, not the carrier?0
-
-
unforeseen wrote: »I've read it and it appears to be an HTTP header that contains it. These are a product of the browser. This is why I mentioned that the service provider may have modified the inbuilt browser
Spot on again as far as I can see.0 -
The only other conceivable option is that the service provider is intercepting every HTTP request and adding in the header. That begs the question of why? It is of no use to the service provider as it will be added either close to or at their border gateway to the internet in general.0
-
unforeseen wrote: »I've read it and it appears to be an HTTP header that contains it. These are a product of the browser. This is why I mentioned that the service provider may have modified the inbuilt browser
Have a look into "Header Enrichment" and "Header Injection".0 -
See #8 re header enrichment.
As far as header injection is concerned, that is to do with modifying the headers sent to a server to enable or cause a security vulnerability. Nothing to do with the discussion0 -
I think you're wrong. It's routine for providers to connect you through a gateway or proxy where there are additions to the headers. Even ten years ago, X-Forwarded-For was being added.
On a less technical note, your theory can't be correct because the problem affects people with SIM-Free handsets with their own choice of browser. Also, if you connect via Wi-Fi the header isn't added.
Even if it was a "custom browser", then it's still the wrong thing to do.0
This discussion has been closed.
Categories
- All Categories
- 347.2K Banking & Borrowing
- 251.6K Reduce Debt & Boost Income
- 451.8K Spending & Discounts
- 239.4K Work, Benefits & Business
- 615.3K Mortgages, Homes & Bills
- 175.1K Life & Family
- 252.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 15.1K Coronavirus Support Boards