Mobile operator Vodacom has admitted that it has been sharing customers’ personal details, including their phone number and the unique IMEI reference code that identifies a handset hardware, with websites when users browse the web from any device connected to a Vodacom network.
MyBroadband’s Jan Vermeulen discovered the issue when he tested South African networks against a tool designed by security researcher Kenneth White. White’s work has been highlighted in the international press earlier this week, when he uncovered similar issues at AT&T, Verizon and Sprint in the US.
According to Vermeulen, Vodacom was the only South African network to fail the test.
We tested Vodacom’s network using the same tool several times earlier today, and our number was initially displayed in the request header as per Vermeulen’s findings. This was later obscured in an apparently encrypted key and later vanished altogether – it’s unclear whether this suggests a bug in the system or changes at the network.
Vodacom subscribers have apparently had their data exposed to website servers in this way through a technique called ‘subscriber information injecting’ through header enrichment. What that means, is that whenever a Vodacom subscriber visited a website through the use of mobile data, information such as their IMEI number and their mobile number was included in a modified versions of the HTTP headers, which were then sent on to the servers they were visiting.
Vodacom issued a statement earlier tonight, and said that it was investigating the issue as a “matter of urgency”. It didn’t deny that subscriber information injecting was taking place, rather, that it’s not “routinely shared”.
“We would like to reassure our customers that their information is not being routinely shared with all websites. Header enrichment is not our default operation; we use it for a select number of Vodacom and trusted third-party services, such as charge-to-bill. We are investigating this as a matter of urgency, and we will provide an update once our investigation is complete,” Vodacom said in a statement to htxt.africa.
This kind of injection is commonly used for allowing third party companies to verify mobile phone owners for services not controlled by the operator, but are billed directly to your mobile account, and is being used by phone networks in the US to sell targeted adverts. It’s offered as a service to networks by most vendors.
[Image – Charlie Fripp]