Google has finally fixed three-year security vulnerability in Google Chrome for Android. It is quite surprising that the technology giant took so long to remedy a flaw identified several years ago. The flaw was originally identified by white hat hackers at Nightwatch Cybersecurity in May 2015. It was only now that the security staff of Google realized that this was a real threat.
It’s a normal part of mobile browser operation to send data to web servers. It could be anything from the browser version to the currently active applications or the operating system. This vulnerability is associated with the operation of mobile browsers.
A look at the vulnerability revealed that it was a serious one because it could leak from its mobile browsers all kinds of information about the device, such as information about the mobile hardware model, device name and firmware version.
The vulnerability has only been identified for Android in Google Chrome, not the desktop version. Yakov Shafranovich, a Nightwatch researcher, explained in a blog post last week that information can also be used to track ” users and fingerprint devices.”
“It can also be used to determine which vulnerabilities a particular device is vulnerable to in order to target exploits” said Shafranovich.
Google released a partial fix with its Chrome 70 in October 2018, but the browser still leaked device names while two Android components, including the built-in WebView browser, leaked firmware build number. Therefore, a complete fix was needed, which Google has now released.
The vulnerability was not given a CVE designation, although it was partially fixed as a problem with the use of the Chrome browser by Android. In 2015, Nightwatch revealed that when Chrome sends a request to any web server to access the content of a page, a series of HTTP headers are included. Out of these, the header of the user agent is most worrying because it includes the Android version number and builds tag information.
“Aggravating this issue is that the user agent header is sent always, with both HTTP and HTTPS requests, often by processes running in the background. Also, unlike the desktop Chrome, on Android, no extensions or overrides are possible to change the header other than the ‘Request Desktop Site’ option on the browser itself for the current session,” added Shafranovich.
An attacker therefore only needs to develop a malicious website that can be used as a watering hole or spam tactics to drive traffic to the device and design a campaign that uses the information from the visiting devices to exploit defects in a targeted manner. Nightwatch calls on users to upgrade to Chrome 70 or later and fix apps using WebView immediately. Web developers also need to manually change their apps ‘ user agent configuration.