Jump to content

Google fixes vulnerability in Chrome for Android – over three years after it was reported


Recommended Posts

Posted

Google has quietly fixed a security flaw in Chrome for Android that was originally reported more than three years ago.

As reported by ZDNet, the vulnerability was found by bug-hunters at Nightwatch Cybersecurity in May 2015, but wasn't addressed until Google's security staff realized that it was, in fact, a threat.

The flaw means that the mobile browser leaks information about the device it's running on, including the hardware model and firmware version – and therefore its security patch level. Chrome for desktop doesn't suffer the same issue.

Too much information

Browsers send various pieces of information to web servers as part of their normal operation, including details of the browser itself, other apps currently running, and the operating system. Unfortunately, Chrome for Android also sent the device name (such as C6606) and firmware build.

The device name might look random, but it correlates to a specific device model, and can be found easily online in readily available lists. For example, device name C6606 would be a Sony Xperia Z.

That's a security issue in itself, but the accompanying leaked firmware details are the biggest problem. 

"For many devices, this can be used to identify not only the device, but also the carrier on which it is running and from that the country," said Nightwatch Cybersecurity. "Build numbers are easily obtainable from manufacturer and phone carrier websites such as this one."

The build number can also tell attackers the device's security patch level, thereby letting them know which attacks it could be vulnerable to.

Google released a partial fix with Chrome 70 in October 2018, but the browser still releases device names and two Android components (including WebView, which is the built-in browser used by apps like Facebook) still leak the firmware build number.

NlaBr6qEJIM

View the full article

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.