Google Chrome flaw patched three years after initial report

Issue: Chrome for Android was revealing firmware build info that could have been used for exploit targeting.

Google's changes to Chrome have users and experts up in arms Browser maker faces backlash for failing to inform users about Chrome Sync behavioral change. Read more: https://zd.net/2xym3FL

Google has patched a security flaw in Chrome for Android that leaked information about smartphones' hardware model, firmware version, and indirectly the device's security patch level.

What made this bugfix stand out was the fact that security researchers first reported the issue to Google engineers back in May 2015, only to be ignored three years, until the Chrome staff realized by itself that the information that Chrome for Android was exposing was, indeed, dangerous, as it could have been used for exploit targeting and user fingerprinting.

The 2015 bug report

The bug at hand was first documented in a 2015 blog post by security researchers from Nightwatch Cybersecurity. Back then, Nightwatch researchers discovered that Chrome for Android User-Agent strings contained a little bit more information than User-Agent strings on desktop versions.

On top of Chrome browser details and operating system version number information, Chrome for Android User-Agent strings also contained information about the device name and its firmware build.

Example: "ST26i Build/LYZ28K"

Exposing device names such as "ST26i" is dangerous, as these aren't just some generic terms. Device names can be easily translated to exact smartphone models based on already known public lists, like this, for example.

But the biggest issue was the inclusion of the firmware build number.

"For many devices, this can be used to identify not only the device, but also the carrier on which it is running and from that the country," said Nightwatch researchers in an updated blog post over the Christmas holiday. "Build numbers are easily obtainable from manufacturer and phone carrier websites such as this one."

"An example can be easily seen from the above where build LYZ28K can be easily identified as Nexus 6 running on T-Mobile, implying a US presence," researchers said.

Exploit targeting

Furthermore, knowing the build number means attackers can also determine the exact firmware number, and indirectly determine which security patch level the device is running and which vulnerabilities the device is vulnerable to.

Such information is crucial to cyber-criminals running web-based exploit kits (EKs) or to nation-state hackers that lure high-value targets on weaponized websites.

This type of sensitive information should have never been included in the User-Agent string, initially designed for basic debugging and analytics purposes.

A change of heart

While initially, Google told Nightwatch researchers that Chrome for Android was working as intended, the company changed its mind this summer, when Google engineers, on their own, began a process to remove at least the build number from the Chrome for Android User-Agent string.

That fix was silently shipped out to Chrome for Android users with v70, released in mid-October 2018.

However, the fix isn't complete. Device name strings are still listed. Furthermore, both the device name and build number are still included in WebView and Custom Tabs, two Android components that are slimmed down versions of the Chrome engine that other apps can embed inside their code so users can view web content using a built-in Chrome-like browser.

While Custom Tabs is rarely used nowadays, WebView is extremely popular, being the built-in browser of popular apps such as Facebook, Twitter, Flipboard, and others.

While most users aren't directly impacted by this issue, users who value their privacy should be aware of this leak and use another browser instead of Chrome or WebView.

A temporary fix would be to configure Chrome for Android to use the "Request Desktop Site" option when viewing websites on their phone. This is because Chrome for Android when configured to use "Request Desktop Site" broadcasts a generic Linux-like User-Agent string, with no device name or firmware build number included.

In addition, Nightwatch also recommends that app developers overwrite User-Agent strings to use either a custom string, or strip out device name and build numbers. However, most app developers have their own apps' bugs to deal with, and most devs won't even bother.

More browser coverage: