Elisa sends your phone number to every web site
Did you know that if you use the wireless browser in your mobile handset, your operator might be leaking your identity to every single web site you are visiting? I didn't, until today...
I whipped up a short jsp page to show the headers that my phone browser is sending, and lo and behold! there is my mobile phone number in plain text, sent to every web site. Check below for the log file, look for the x-msisdn and x-network-info -fields.
27/06/05 21:00:52 (188.8.131.52): user-agent: Nokia3220/2.0 (03.60) Profile/MIDP-2.0 Configuration/CLDC-1.1
27/06/05 21:00:52 (184.108.40.206): via: HTTP/1.1 wgw3.radiolinja.fi (XMG 724Solutions HTG BA_PC5_M1_B012 20041105.230426)
27/06/05 21:00:52 (220.127.116.11): x-msisdn: 358505476XXX
27/06/05 21:00:52 (18.104.22.168): x-network-info: GPRS,22.214.171.124,358505476XXX,unsecured
27/06/05 21:00:52 (126.96.36.199): x-wap-profile: "http://nds1.nds.nokia.com/uaprof/N3220r100.xml"
(The XXX is my own doing; the phone number is really fully visible.)
I would tell you if this is true also if you are using your phone as a modem, but as my luck has it, my Mac died this morning (I tried to install Windows 98 under QEmu: it did the Microsoft thing and forced me to reinstall OSX after playing havoc with it, and now the entire computer is dead), and none of my cell phones work with my work laptop (after an upgrade to XP). Or actually, one of them would, if it hadn't just died last week thanks to a flashing mishap. I have now four dysfunctional phones and two dysfunctional laptops. As a personal note, I'm having a really lousy week already. Update. Chris says it's only when you're using the WAP gateway. So modem users are fine.
So, if anyone is using Elisa GPRS or 3G on their laptop, I would appreciate it if you could test it here, drop me a comment here and I'll publish the findings (without your phone number). Other operators are welcome, too. It should work with non-Finnish operators, too.
While sending the mobile phone number is probably not illegal, I still feel a bit iffy thinking that anyone can trivially figure out who I am when I browse their web site. There is no option to turn this off, and Elisa is not publicizing this fact either - in fact, a google for x-msisdn yields 23 results. So this thing is not even very well known. It would also be interesting to know if this still happens if you have an unlisted phone number.
I sent an email to Elisa's customer service and asked about their policy towards publishing subscriber information. I'll let you know if I get any answers. Until then, I would recommend that you are careful as to which web/wap sites you go to with your cell phone. Unless, of course, you don't mind them getting your phone number.
(Thanks to Jaakko Rajaniemi for the tip.)
Update: Saunalahti seems to also leak the phone number.
Back to weblog
|"Main_blogentry_270605_2" last changed on 28-Jun-2005 16:43:50 EEST by JanneJalkanen.