Google has just fixed a three-year old vulnerability in Chrome for Android. The vulnerability was originally discovered in May 2015, but it took a while for Google to evaluate the threat and its potential.
In 2015, Nightwatch Cybersecurity researchers discovered that “Google’s Chrome browser for Android tends to disclose information that can be used to identify the hardware of the device it is running on”. The issue is even more serious because many applications on Android use Chrome WebView or Chrome Custom Tabs to render content. In short, it is a serious security issue that could expose different types of information about the device via the Chrome browser.
To be more technically precise, the Chrome browser, WebView and Tabs for Android reveal information about the hardware model, firmware version and security patch level of the corresponding device. In addition, applications that use Chrome to render web content are also affected, the researchers said. The issue here is that this information can be exploited to track users and fingerprint their devices. Moreover, attackers can also uncover the vulnerabilities the device is exposed to, and this could make an exploit process quite easy to carry out.
Google Refused to Treat the Vulnerability
It turns out that Google rejected the initial bug report the researchers prepared in 2015. MITRE also didn’t assign the vulnerability a CVE number because they felt it wasn’t related to security.
Nonetheless, Google issued a partial fix in October 2018 for Chrome v70. An updated Nightwatch Security report says that:
The fix hides the firmware information while retaining the hardware model identifier. All prior versions are believed to be affected. Users are encouraged to upgrade to version 70 or later. Since this fix doesn’t apply to WebView usage, app developers should manually override the User Agent configuration in their apps.
What Should Users Do?
Users should consider updating their Android devices to Chrome v70 to address the issue. As for app developers, they should use the WebSettings.setUserAgent() method to set the override the user agent, the researchers’ report says. More information about this curious case involving the vulnerability is available.