A three-year-old security vulnerability in Google Chrome for Android has finally been fixed by Google. It is quite surprising that the tech giant took so long to fix a flaw that was identified several years back. The flaw was originally identified at Nightwatch Cybersecurity by white hat hackers in May 2015. It is only now that Google’s security staff realized it as a real threat.
It is a normal part of the operation of mobile browsers to send information to web servers. It could be anything from the browser version details to the apps currently active or the operating system. The vulnerability is related to this particular way that mobile browsers operate.
See: Microsoft fixes security flaw in Windows that existed for 19 years
A look into the vulnerability revealed that it was a serious one as it could leak all sorts of information about the device from its mobile browsers, such as the information about the mobile’s hardware model, device name, and firmware version. The vulnerability was only identified in Google Chrome for Android and not for the desktop version.
Yakov Shafranovich, a researcher at Nightwatch, explained last week in a blog post that the information can also be used to track “users and fingerprint devices.”
“It can also be used to determine which vulnerabilities a particular device is vulnerable to in order to target exploits” said Shafranovich.
Although in Oct 2018, Google did release a partial fix with its Chrome 70; however, the browser was still leaking device names while two Android components including the built-in browser WebView leaked firmware build number. Hence, a complete fix was direly needed, which Google has released now.
The vulnerability wasn’t given a CVE designation despite that it was partially fixed as a problem related to the way Android uses Chrome browser. Nightwatch revealed back in 2015 that when Chrome sends out a request to any web server to access a page’s content, it includes a series of HTTP headers. Out of these, the User-Agent header is most concerning because it includes the version number of Android and builds tag information.
See: Android devices since 2012 vulnerable to RAMpage vulnerability
Hence, an attacker only needs to develop a malicious website to be used as a watering hole or using spam tactics to drive traffic to the device and design a campaign that utilizes the information from the visiting devices to launch targeted exploitation of flaws.
“Aggravating this issue is that the user agent header is sent always, with both HTTP and HTTPS requests, often by processes running in the background. Also, unlike the desktop Chrome, on Android, no extensions or overrides are possible to change the header other than the ‘Request Desktop Site’ option on the browser itself for the current session,” added Shafranovich.
Nightwatch urges users to upgrade to Chrome 70 or later versions and to immediately fix apps that use WebView. Web developers also need to manually modify the User-Agent configuration of their apps.