Monday, February 15, 2016

Browser MetaData Leakage

I read this recent post by Dr. Neal Krawetz with some wonder and amazement.

He followed that one up with another related post, Just Browsing. See also his Invasion of Privacy post for browser fingerprinting and some perspective on “private/incognito” browsing session tracking.

The identification that (in some cases) your cellphone carrier could be adding extra headers to your smart-device information requests is not shocking in this day and age. But that it could contain (leak) your personally identifiable cell phone number was quite a surprise!

From Dr. Krawetz’s post:

Consumer Cellular has agreements to use T-Mobile and AT&T networks. If my cellphone uses the T-Mobile network, then no extra headers are added to my HTTP requests. However, if my phone uses AT&T's network, then AT&T appends a lot of personal information to every HTTP request:

  • X-Att-Imsi: This is my International Mobile Subscribed Identity and is unique to my phone.
  • X-Att-Plmn-Id: This contains my MCC+MNC code; that's the mobile country code (MCC) and mobile network code (MNC). These values identify the country and carrier. For example, MCC 310 is the United States, and MNC 410 in the United States is Cingular Wireless (now AT&T).
  • X-Up-Calling-Line-Id: This contains my cellphone number. Seriously: AT&T sends my direct cellphone number to every website my phone visits. Looking over my web server logs, I see other people who have been through this same path. Thanks to AT&T, I have direct phone numbers for people in Portland, Oregon and Cincinnati, Ohio and Roanoke, Virginia and... I'm actually surprised that my cellphone hasn't received more telemarketer calls.
  • X-Up-Subno: This very-disturbing field includes a timestamp that shows when (down to the second) I signed up with Consumer Cellular.

That got me looking for more information and I didn’t find much.

This circa 2012 post goes into some additional details:

It points to a test web page maintained by the interviewed researcher Collin Mulliner that can show some of your browser headers:

Running several tests with my cellular devices (with Wi-Fi disabled to force the data cross AT&T’s network) came back “clean” of any PII meta data; at least as far as this particular test was able to detect.

More information on the project and issue details here: HTTP Header Privacy info page

It was noted by the post author that the issue was with “medium-price-ranged” phones that needed a Web proxy to reformat Web content. And that iPhones and Androids do not do this.

I do plan to hit this Choices and Controls | AT&T Privacy Policy site with my devices as well to then “opt-out” of several of their analytics services listed there.

Finally, Martin Brinkmann at has an astounding roundup of links related to online privacy checkers.

That one is a keeper in your bookmarks.

Constant Vigilance!

--Claus Valca

No comments: