Pierluigi Paganini January 03, 2019

Three years after its disclosure, Google has patched an information disclosure flaw in the Android version of the popular Chrome web browser.

The issue exposes devices information, including device model and firmware version, an attacker could exploit this info to remotely identify unpatched devices and target them.

The flaw ties the way the Android version of Google Chrome generates ‘User Agent’ string that contains the Android version number and build information (i.e device name, installed firmware build).

Experts pointed out that this data could be used to track users and fingerprint devices.

“Google’s Chrome browser for Android tends to disclose information that can be used to identify the hardware of the device it is running on.”reads the blog post published by Yakov Shafranovich from Nightwatch Cybersecurity firm

“This problem is further exacerbated by the fact that many applications on Android use Chrome WebView or Chrome Custom Tabs to render web content.”

For example: Mozilla/5.0 (Linux; Android 5.1.1; Nexus 6 Build/LYZ28K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.34 Mobile Safari/537.36

Shafranovich reported this bug to Google three years ago, but the tech giant rejected it explaining that the app was “working as intended.”

“While Android does offer ability to override these (via WebSettings.setUserAgent() in WebView), most applications choose not to do that to assure compatibility by relying on the default header.” continues the post.
“Aggravating this issue is that the user agent header is sent always, with both HTTP and HTTPS requests, often by processes running in background. Also, unlike the desktop Chrome, on Android no extensions or overrides are possible to change the header other than the “Request Desktop Site” option on the browser itself for the current session. “

“For many devices, this can be used to identify not only the device itself but also the carrier on which it is running and from that the country.”

The flaw could be used to determine the specific build installed on a device and the Android version running on it, this information could be used by an attacker to determine if it is possible to carry out an attack exploiting specific vulnerabilities. patch level on the device and vulnerabilities.

Google has finally addressed the flaw with the release of Chrome 70 in October 2018, but the fix is only partial because the latest version only strips the firmware build information from the header. It is still possible to discover the hardware model identifier from the User Agent.

The update only impacts the app itself and not to the WebView implementation, this means that developers are recommended to manually override the User Agent configuration in their apps.

According to Shafranovich, all versions of Chrome for Android prior to version 70 are affected by the flaw.

“Both the vendor and MITRE refused to issue a CVE number to track this issue since they do not consider it to be security related”
Shafranovich added.

Android users urge to upgrade to Chrome version 70 or later.

Pierluigi Paganini

(SecurityAffairs – Android Google Chrome, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]