Google has finally patched a privacy flaw in Chrome for Android that exposed users’ device models and firmware versions, allowing remote attackers to identify unpatched devices and exploit known vulnerabilities.
The vulnerability, which has not yet been assigned a CVE number, is a flaw in the way Google Chrome for Android generates the ‘User Agent’ string containing the Android version number and build tag information, which includes the device name and firmware build.
This information is also sent to applications utilizing the WebView and Chrome Tabs APIs, which can be used to track users and fingerprint devices on which these applications are running.
For example Mozilla/5.0 (Linux; Android 5.1.1; Nexus 6 Build/LYZ28K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.34 Mobile Safari/537.36
Three years ago, Nightwatch Cybersecurity contributor Yakov Shafranovich reported this issue to Google, but the company rejected the bug report, stating that its browser app was “working as intended.”
“While Android offers the ability to override these (via WebSettings.setUserAgent() in WebView), the majority of applications choose not to do so in order to ensure compatibility by relying on the default header,” Shafranovich explained.
“For many devices, this information can be used to identify not only the device itself, but also the carrier on which it is running and, by extension, the country.”
This privacy issue can also be used to determine the device’s security patch level and vulnerabilities, which can be exploited in a targeted manner by attackers.
However, Google has now partially resolved the issue with the release of Chrome 70 in October 2018, following a new bug report filed by a different user on Google’s Chromium forum earlier this year.
According to the researcher, the Chrome 70 update removed only the firmware build information from the header, while the hardware model identifier remains in the User Agent.
Since the update only affects the app itself and not the WebView implementation, it is recommended that application developers manually override the User Agent configuration in their apps.
“Also, unlike desktop Chrome, no extensions or overrides are available on Android to change the header, with the exception of the “Request Desktop Site” option on the browser itself for the current session,” Shafranovich writes in a new blog post.
“Both the vendor and MITRE refused to assign a CVE number to this issue because neither considers it to be security-related.”
Shafranovich believes that all versions of Chrome for Android before version 70 are vulnerable, so it is strongly advised that all users upgrade to version 70 or later.