Hacking

After 3 years, Google partially fixes a bug in Android Google Chrome

Three years after its disclosure, Google has patched an information disclosure flaw in the Android version of the popular Chrome web browser.

The issue exposes devices information, including device model and firmware version, an attacker could exploit this info to remotely identify unpatched devices and target them.

The flaw ties the way the Android version of Google Chrome generates ‘User Agent’ string that contains the Android version number and build information (i.e device name, installed firmware build).

Experts pointed out that this data could be used to track users and fingerprint devices.

“Google’s Chrome browser for Android tends to disclose information that can be used to identify the hardware of the device it is running on.”reads the blog post published by Yakov Shafranovich from Nightwatch Cybersecurity firm

“This problem is further exacerbated by the fact that many applications on Android use Chrome WebView or Chrome Custom Tabs to render web content.”

For example: Mozilla/5.0 (Linux; Android 5.1.1; Nexus 6 Build/LYZ28K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.34 Mobile Safari/537.36

Shafranovich reported this bug to Google three years ago, but the tech giant rejected it explaining that the app was “working as intended.”

“While Android does offer ability to override these (via WebSettings.setUserAgent() in WebView), most applications choose not to do that to assure compatibility by relying on the default header.” continues the post.
“Aggravating this issue is that the user agent header is sent always, with both HTTP and HTTPS requests, often by processes running in background. Also, unlike the desktop Chrome, on Android no extensions or overrides are possible to change the header other than the “Request Desktop Site” option on the browser itself for the current session. “

“For many devices, this can be used to identify not only the device itself but also the carrier on which it is running and from that the country.”

The flaw could be used to determine the specific build installed on a device and the Android version running on it, this information could be used by an attacker to determine if it is possible to carry out an attack exploiting specific vulnerabilities. patch level on the device and vulnerabilities.

Google has finally addressed the flaw with the release of Chrome 70 in October 2018, but the fix is only partial because the latest version only strips the firmware build information from the header. It is still possible to discover the hardware model identifier from the User Agent.

The update only impacts the app itself and not to the WebView implementation, this means that developers are recommended to manually override the User Agent configuration in their apps.

According to Shafranovich, all versions of Chrome for Android prior to version 70 are affected by the flaw.

“Both the vendor and MITRE refused to issue a CVE number to track this issue since they do not consider it to be security related”
Shafranovich added.

Android users urge to upgrade to Chrome version 70 or later.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Android Google Chrome, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

40 mins ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

4 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

18 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.