Home Cyber Security News Google Patched An Old Google Chrome Flaw That Leaked User’s Device Information

Google Patched An Old Google Chrome Flaw That Leaked User’s Device Information

by Abeerah Hashim
Google patched old Google Chrome flaw

As disclosed over Christmas, Google has finally patched an old vulnerability in its Chrome for Android browser. This Google Chrome flaw leaked device information for three years until the Google staff realized it as a security threat and released a patch. However, according to the researchers, this one, still, is a partial fix.

A Google Chrome Flaw Leaked Android Device Data For Three Years

Reportedly, Google patched a security flaw in October 2018 with the release of Chrome 70. As revealed recently in a blog post by Nightwatch Cybersecurity, a Google Chrome flaw, that remained active in the Android browser version for around three years, has finally received a fix. The vulnerability leaked explicit device information that could even facilitate device fingerprinting.

The vulnerability was first disclosed in 2015 by the same researchers who have now revealed details about the fix. According to their previous blog post published in September 2015, the browser Chrome for Android has a serious security vulnerability leading to the exposure of details of the user device. The leaked information included device hardware model, firmware version, and security patch level. Consequently, any malefactor tracing this data could easily know the security status of any device and could spot vulnerable devices for hacking attacks.

In summary, the problem existed because of the Android User Agent String that included Android version number and build tag details. While exposing Android version number might not be an issue, leaking build tag was. As explained in their report,

“It is the build tag that is the problem… The build tag identifies both the device name and its firmware build. For many devices, this can be used to identify not only the device itself, but also the carrier on which it is running and from that the country.”

In addition, the User Agent leaked the information both over HTTP and HTTPS requests.

Google Partially Fixed The Flaw

In October 2018, Google released the Chrome 70 browser version for all operating systems. As revealed by the researchers, the Android version of Chrome browser carried a partial fix for the flaw.

When the researchers reported the bug three-years back, Google did not consider it an issue. However, as highlighted by Nightwatch Cybersecurity researchers, they released a patch in October 2018 as they deemed it a security threat themselves. They have now removed the firmware build number from the User Agent string in Chrome for Android. Nonetheless, the device model number still remains.

Besides, the problem still persists in Android Webview and Custom Tabs, leaking the device name and build number. Webview is the same built-in browser in Android that is used by many applications including Facebook and Twitter.

For now, the researchers have advised some possible mitigation to resolve this problem.

“Users are encouraged to update to Chrome v70 or later to fix this issue. Application authors should use WebSettings.setUserAgent() method to set the override the user agent.”

Google has not only fixed the problem for Android but has also incorporated the change in Chrome for iOS with the release of version 69.

Although, the researchers’ findings clearly indicate the bug to be a security threat. However, MITRE and Google have refused to assign a CVE number to it, as they do not consider it a security issue. Nonetheless, the bug description on the Chrome Status mentions the possibility of information abuses.

“The OS build number (for example, “NJH47F” or “OPM4.171019.021.D1” on Android) has been removed from the user-agent identification (User-Agent header and navigator.userAgent) on Android and on iOS… This will prevent abuses of that information such as exploit targeting and fingerprinting. It’ll also bring Chrome closer in line with RFC 7231 section 5.5.3.”

Let us know your thoughts in the comments section.

You may also like

Latest Hacking News

Privacy Preference Center

Necessary

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]

Advertising

DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.

doubleclick

Analytics

The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid