Google Refused to Patch a Vulnerability in Android Chrome for 3 Years
CYBER NEWS

Google Refused to Patch a Vulnerability in Android Chrome for 3 Years

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Google has just fixed a three-year old vulnerability in Chrome for Android. The vulnerability was originally discovered in May 2015, but it took a while for Google to evaluate the threat and its potential.




In 2015, Nightwatch Cybersecurity researchers discovered that “Google’s Chrome browser for Android tends to disclose information that can be used to identify the hardware of the device it is running on”. The issue is even more serious because many applications on Android use Chrome WebView or Chrome Custom Tabs to render content. In short, it is a serious security issue that could expose different types of information about the device via the Chrome browser.

To be more technically precise, the Chrome browser, WebView and Tabs for Android reveal information about the hardware model, firmware version and security patch level of the corresponding device. In addition, applications that use Chrome to render web content are also affected, the researchers said. The issue here is that this information can be exploited to track users and fingerprint their devices. Moreover, attackers can also uncover the vulnerabilities the device is exposed to, and this could make an exploit process quite easy to carry out.

Related: Android Tops the 2016 Top 50 Vulnerabilities List with 523 Bugs

Google Refused to Treat the Vulnerability

It turns out that Google rejected the initial bug report the researchers prepared in 2015. MITRE also didn’t assign the vulnerability a CVE number because they felt it wasn’t related to security.

Nonetheless, Google issued a partial fix in October 2018 for Chrome v70. An updated Nightwatch Security report says that:

The fix hides the firmware information while retaining the hardware model identifier. All prior versions are believed to be affected. Users are encouraged to upgrade to version 70 or later. Since this fix doesn’t apply to WebView usage, app developers should manually override the User Agent configuration in their apps.

What Should Users Do?

Users should consider updating their Android devices to Chrome v70 to address the issue. As for app developers, they should use the WebSettings.setUserAgent() method to set the override the user agent, the researchers’ report says. More information about this curious case involving the vulnerability is available.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...