Best Top Reviews Online

Google Partially Patches Chrome for Android Vulnerability Three Years After Disclosure

Google has finally patched a privacy flaw in Chrome for Android that exposed users’ device models and firmware versions, allowing remote attackers to identify unpatched devices and exploit known vulnerabilities.

The vulnerability, which has not yet been assigned a CVE number, is a flaw in the way Google Chrome for Android generates the ‘User Agent’ string containing the Android version number and build tag information, which includes the device name and firmware build.

This information is also sent to applications utilizing the WebView and Chrome Tabs APIs, which can be used to track users and fingerprint devices on which these applications are running.

For example Mozilla/5.0 (Linux; Android 5.1.1; Nexus 6 Build/LYZ28K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.34 Mobile Safari/537.36

Three years ago, Nightwatch Cybersecurity contributor Yakov Shafranovich reported this issue to Google, but the company rejected the bug report, stating that its browser app was “working as intended.”

“While Android offers the ability to override these (via WebSettings.setUserAgent() in WebView), the majority of applications choose not to do so in order to ensure compatibility by relying on the default header,” Shafranovich explained.

“For many devices, this information can be used to identify not only the device itself, but also the carrier on which it is running and, by extension, the country.”

This privacy issue can also be used to determine the device’s security patch level and vulnerabilities, which can be exploited in a targeted manner by attackers.

However, Google has now partially resolved the issue with the release of Chrome 70 in October 2018, following a new bug report filed by a different user on Google’s Chromium forum earlier this year.

According to the researcher, the Chrome 70 update removed only the firmware build information from the header, while the hardware model identifier remains in the User Agent.

Since the update only affects the app itself and not the WebView implementation, it is recommended that application developers manually override the User Agent configuration in their apps.

“Also, unlike desktop Chrome, no extensions or overrides are available on Android to change the header, with the exception of the “Request Desktop Site” option on the browser itself for the current session,” Shafranovich writes in a new blog post.

“Both the vendor and MITRE refused to assign a CVE number to this issue because neither considers it to be security-related.”

Shafranovich believes that all versions of Chrome for Android before version 70 are vulnerable, so it is strongly advised that all users upgrade to version 70 or later.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info

Deals

Reviews

Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer

BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

 

Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.