As disclosed over Christmas, Google has finally patched an old vulnerability in its Chrome for Android browser. This Google Chrome flaw leaked device information for three years until the Google staff realized it as a security threat and released a patch. However, according to the researchers, this one, still, is a partial fix.
A Google Chrome Flaw Leaked Android Device Data For Three Years
Reportedly, Google patched a security flaw in October 2018 with the release of Chrome 70. As revealed recently in a blog post by Nightwatch Cybersecurity, a Google Chrome flaw, that remained active in the Android browser version for around three years, has finally received a fix. The vulnerability leaked explicit device information that could even facilitate device fingerprinting.
The vulnerability was first disclosed in 2015 by the same researchers who have now revealed details about the fix. According to their previous blog post published in September 2015, the browser Chrome for Android has a serious security vulnerability leading to the exposure of details of the user device. The leaked information included device hardware model, firmware version, and security patch level. Consequently, any malefactor tracing this data could easily know the security status of any device and could spot vulnerable devices for hacking attacks.
In summary, the problem existed because of the Android User Agent String that included Android version number and build tag details. While exposing Android version number might not be an issue, leaking build tag was. As explained in their report,
“It is the build tag that is the problem… The build tag identifies both the device name and its firmware build. For many devices, this can be used to identify not only the device itself, but also the carrier on which it is running and from that the country.”
In addition, the User Agent leaked the information both over HTTP and HTTPS requests.
Google Partially Fixed The Flaw
In October 2018, Google released the Chrome 70 browser version for all operating systems. As revealed by the researchers, the Android version of Chrome browser carried a partial fix for the flaw.
When the researchers reported the bug three-years back, Google did not consider it an issue. However, as highlighted by Nightwatch Cybersecurity researchers, they released a patch in October 2018 as they deemed it a security threat themselves. They have now removed the firmware build number from the User Agent string in Chrome for Android. Nonetheless, the device model number still remains.
Besides, the problem still persists in Android Webview and Custom Tabs, leaking the device name and build number. Webview is the same built-in browser in Android that is used by many applications including Facebook and Twitter.
For now, the researchers have advised some possible mitigation to resolve this problem.
“Users are encouraged to update to Chrome v70 or later to fix this issue. Application authors should use WebSettings.setUserAgent() method to set the override the user agent.”
Google has not only fixed the problem for Android but has also incorporated the change in Chrome for iOS with the release of version 69.
Although, the researchers’ findings clearly indicate the bug to be a security threat. However, MITRE and Google have refused to assign a CVE number to it, as they do not consider it a security issue. Nonetheless, the bug description on the Chrome Status mentions the possibility of information abuses.
“The OS build number (for example, “NJH47F” or “OPM4.171019.021.D1” on Android) has been removed from the user-agent identification (User-Agent header and navigator.userAgent) on Android and on iOS… This will prevent abuses of that information such as exploit targeting and fingerprinting. It’ll also bring Chrome closer in line with RFC 7231 section 5.5.3.”
Let us know your thoughts in the comments section.