Vivian Yeo reports:
At the CanSecWest security conference last month, Collin Mulliner, a PhD student at Technical University Berlin, Germany, said confidential data can be leaked due to the addition of HTTP headers at the operator’s HTTP proxy or gateway. Proxies are used to reformat Web pages to suit a smaller screen size.
Data that is commonly revealed include an MSISDN (mobile subscriber integrated services digital network number) or phone number, IMSI (international mobile subscriber identity) or unique SIM card number, IMEI (international mobile equipment identity) or unique phone ID, access point name and customer account number or ID.
[…]
“The problem is that some mobile operators don’t care if the private information of their customers gets leaked to the whole Internet and therefore they don’t configure the Web proxies in the correct way,” said Mulliner. “Privacy-aware operators make sure the information is added only when customers connect to these special service providers and not the whole Internet.”
The problem, he added, also affects nearly all phones. Common phone brands that emerged during Mulliner’s logging of HTTP headers for over a year included LG, Nokia, Samsung and Sony Ericsson. HTC phones running Windows Mobile were also found to be associated with the problem.
Smartphones such as Apple’s iPhone or Android-based phones typically don’t use proxies by default. But if a proxy was configured and the operator inserts customer data, the same issue would occur, he pointed out.
Read more on ZDNet Asia.