Google Chrome flaw patched three years after initial report

Google Chrome flaw patched three years after initial report 1

Google has patched a security flaw in Chrome for Android that leaked information about smartphones’ hardware model, firmware version, and indirectly the device’s security patch level.

What made this bugfix stand out was the fact that security researchers first reported the issue to Google engineers back in May 2015, only to be ignored three years, until the Chrome staff realized by itself that the information that Chrome for Android was exposing was, indeed, dangerous, as it could have been used for exploit targeting and user fingerprinting.

The 2015 bug report

The bug at hand was first documented in a 2015 blog post by security researchers from Nightwatch Cybersecurity. Back then, Nightwatch researchers discovered that Chrome for Android User-Agent strings contained a little bit more information than User-Agent strings on desktop versions.

On top of Chrome browser details and operating system version number information, Chrome for Android User-Agent strings also contained information about the device name and its firmware build.

Example: “ST26i Build/LYZ28K”

Exposing device names such as “ST26i” is dangerous, as these aren’t just some generic terms. Device names can be easily translated to exact smartphone models based on already known public lists, like this, for example.

But the biggest issue was the inclusion of the firmware build number.

“For many devices, this can be used to identify not only the device, but also the carrier on which it is running and from that the country,” said Nightwatch researchers in an updated blog post over the Christmas holiday. “Build numbers are easily obtainable from manufacturer and phone carrier websites such as this one.”

“An example can be easily seen from the above where build LYZ28K can be easily identified as Nexus 6 running on T-Mobile, implying a US presence,” researchers said.

Exploit targeting

Furthermore, knowing the build number means attackers can also determine the exact firmware number, and indirectly determine which security patch level the device is running and which vulnerabilities the device is vulnerable to.

Such information is crucial to cyber-criminals running web-based exploit kits (EKs) or to nation-state hackers that lure high-value targets on weaponized websites.

This type of sensitive information should have never been included in the User-Agent string, initially designed for basic debugging and analytics purposes.

A change of heart

While initially, Google told Nightwatch researchers that Chrome for Android was working as intended, the company changed its mind this summer, when Google engineers, on their own, began a process to remove at least the build number from the Chrome for Android User-Agent string.

That fix was silently shipped out to Chrome for Android users with v70, released in mid-October 2018.

However, the fix isn’t complete. Device name strings are still listed. Furthermore, both the device name and build number are still included in WebView and Custom Tabs, two Android components that are slimmed down versions of the Chrome engine that other apps can embed inside their code so users can view web content using a built-in Chrome-like browser.

While Custom Tabs is rarely used nowadays, WebView is extremely popular, being the built-in browser of popular apps such as Facebook, Twitter, Flipboard, and others.

While most users aren’t directly impacted by this issue, users who value their privacy should be aware of this leak and use another browser instead of Chrome or WebView.

A temporary fix would be to configure Chrome for Android to use the “Request Desktop Site” option when viewing websites on their phone. This is because Chrome for Android when configured to use “Request Desktop Site” broadcasts a generic Linux-like User-Agent string, with no device name or firmware build number included.

In addition, Nightwatch also recommends that app developers overwrite User-Agent strings to use either a custom string, or strip out device name and build numbers. However, most app developers have their own apps’ bugs to deal with, and most devs won’t even bother.

More browser coverage:

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022
Mintable CEO Zach Burks Talks to Us about the Opensea Stolen NFTs and Their Recovery
March 21, 2022
Crypto Crime
Crypto Crime Surges To Record Highs As Thieves Follow Market Buzz – Chainalysis 2022 Report
February 24, 2022
Bots Circumvent 2FA Login At Coinbase And Other Crypto Exchanges In 2022
Bots Have Circumvented 2FA Logins At Coinbase And Other Crypto Exchanges In 2022
February 17, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin28,927 0.24 % 2.58 % 4.79 %
Ethereum1,745.8 1.02 % 9.52 % 13.74 %
Tether1.001 0.13 % 0.18 % 0.03 %
USD Coin0.9989 0.16 % 0.08 % 0.04 %
BNB297.74 0.97 % 6.45 % 3.22 %
XRP0.3968 0.33 % 1.57 % 5.88 %
Binance USD1.000 0.14 % 0.19 % 0.34 %
Cardano0.9566 0.22 % 0.68 % 6.96 %
Solana40.52 3.64 % 13.36 % 22.57 %
Dogecoin0.07762 0.32 % 5.63 % 10.86 %

Bitcoin (BTC) $ 29,044.00
Ethereum (ETH) $ 1,754.36
Tether (USDT) $ 1.00
USD Coin (USDC) $ 1.00
BNB (BNB) $ 299.04
XRP (XRP) $ 0.397311
Binance USD (BUSD) $ 1.01
Cardano (ADA) $ 0.462776
Solana (SOL) $ 41.54
Dogecoin (DOGE) $ 0.077558