Orange in Spain reveals user mobile phone numbers to websites, according to a security researcher.
The researcher, who uses the handle 'Xufi', said in a blog post on Sunday that Orange uses phone numbers as part of the identification code sent by the phone to websites to enable the site to keep track of the user during a browsing session.
"If you are a user of Orange Spain have in mind that every website you access with your mobile phone will get your phone number," wrote Xufi. "Don't be surprised if you start receiving SMS SPAM or unsolicited calls."
Orange adds the user phone number to a header called 'X-Network-info' in response to any HTTP request sent by a website, wrote Xufi. This makes it trivial for any website to harvest phone number data relating to its visitors using the Orange mobile network in Spain, said the researcher.
Orange reveals the users' Mobile Subscriber Integrated Services Digital Network Number (MSISDN), an individual number operators use to identify users, primarily for billing purposes, wrote Xufi. The blog post included snippets of network traffic that the researcher said illustrated the finding.
Xufi notified Orange Spain about the privacy issue a month ago, the researcher added, but had seen no changes in its practices.
Orange users in the UK also have their phone numbers given out, according to research revealed in March. Collin Mulliner, a student at the Berlin Institute of Technology, gave a presentation at the CanSecWest security conference which said that Orange UK uses mobile phone numbers in HTTP headers.
Mulliner studied HTTP headers sent by mobile carriers to a number of sites, and found the sensitive data sent by Orange UK.
Orange had not responded to a request for comment at the time of writing.