Security Affairs
FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

After 3 years, Google partially fixes a bug in Android Google Chrome

Three years after its disclosure, Google has patched an information disclosure flaw in the Android version of the popular Chrome web browser. The issue exposes devices information, including device model and firmware version, an attacker could exploit this info to remotely identify unpatched devices and target them. The flaw ties the way the Android version […]

Google Chrome Gemini Live

Three years after its disclosure, Google has patched an information disclosure flaw in the Android version of the popular Chrome web browser.

The issue exposes devices information, including device model and firmware version, an attacker could exploit this info to remotely identify unpatched devices and target them.

The flaw ties the way the Android version of Google Chrome generates ‘User Agent’ string that contains the Android version number and build information (i.e device name, installed firmware build).

Experts pointed out that this data could be used to track users and fingerprint devices.

“Google’s Chrome browser for Android tends to disclose information that can be used to identify the hardware of the device it is running on.”reads the blog post published by Yakov Shafranovich from Nightwatch Cybersecurity firm

“This problem is further exacerbated by the fact that many applications on Android use Chrome WebView or Chrome Custom Tabs to render web content.”

For example: Mozilla/5.0 (Linux; Android 5.1.1; Nexus 6 Build/LYZ28K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.34 Mobile Safari/537.36

Shafranovich reported this bug to Google three years ago, but the tech giant rejected it explaining that the app was “working as intended.”

“While Android does offer ability to override these (via WebSettings.setUserAgent() in WebView), most applications choose not to do that to assure compatibility by relying on the default header.” continues the post.
“Aggravating this issue is that the user agent header is sent always, with both HTTP and HTTPS requests, often by processes running in background. Also, unlike the desktop Chrome, on Android no extensions or overrides are possible to change the header other than the “Request Desktop Site” option on the browser itself for the current session. “

“For many devices, this can be used to identify not only the device itself but also the carrier on which it is running and from that the country.”

The flaw could be used to determine the specific build installed on a device and the Android version running on it, this information could be used by an attacker to determine if it is possible to carry out an attack exploiting specific vulnerabilities. patch level on the device and vulnerabilities.

Google has finally addressed the flaw with the release of Chrome 70 in October 2018, but the fix is only partial because the latest version only strips the firmware build information from the header. It is still possible to discover the hardware model identifier from the User Agent.

The update only impacts the app itself and not to the WebView implementation, this means that developers are recommended to manually override the User Agent configuration in their apps.

According to Shafranovich, all versions of Chrome for Android prior to version 70 are affected by the flaw.

“Both the vendor and MITRE refused to issue a CVE number to track this issue since they do not consider it to be security related”
Shafranovich added.

Android users urge to upgrade to Chrome version 70 or later.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Android Google Chrome, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]