Google Chrome Flaw Patched Three Years After Initial Report
(Jan 3, 2019)
In mid-October 2018, Google quietly released a patch for a "Google Chrome for Android" vulnerability that was first reported on in May 2015. This vulnerability leaked information regarding the device's firmware version, hardware model, and security patch level without the user's knowledge. Researchers from Nightwatch Cybersecurity first discovered the flaw in 2015 where they found that the Chrome for Android's User-Agent strings contained information, such as the device name and firmware build, which the desktop User-Agent strings did not have. Revealing the device name means that threat actors could potentially translate this to the exact model of smartphone. The firmware build number meant that actors could identify the device model as well as the carrier it is running and in what specific country it is running in. The firmware number could allow actors to know how secure a device is and what vulnerabilities it may possibly have in order to then exploit those. Google initially stated the Chrome for Android was working as intended, but in October 2018, it sent out a fix for users with v70. However, this fix still is not comprehensive as devices name strings are still accessible and the device name and build number can still be viewed in "WebView" and "Custom Tabs."
Recommendation: A temporary fix to this vulnerability is to configure Chrome for Android to use "Request Desktop Site" option in their settings to view websites on their phone which removes the device name and build number from the User-Agent strings. The potential ability of threat actors to be able to identify the model and security patch level is worrying for individuals deemed to hold valuable information on their smartphones. Identifying said data could allow threat actors to conduct highly-targeted attacks that would be difficult to detect. This story can serve as a reminder of the importance of proper patch maintenance as well as keeping up-to-date with cyber threats to develop policies to address vulnerabilities or data leaks.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.