Connect with us

Hi, what are you looking for?



Vulnerability in Chrome for Android Patched Three Years After Disclosure

A vulnerabilitiy recently patched by Google in Chrome for Android was an information disclosure bug that was originally reported in 2015, but not patched until the release of Chrome 70 in October 2018, security researchers say. 

A vulnerabilitiy recently patched by Google in Chrome for Android was an information disclosure bug that was originally reported in 2015, but not patched until the release of Chrome 70 in October 2018, security researchers say. 

The issue is that the browser – along with WebView and Chrome Tabs for Android – discloses information about the hardware model, firmware version, and security patch level of the device it is installed on. Applications using Chrome to render web content are also impacted. 

This behavior, however, is defined in the Chrome docs, which state that the Chrome for Android User Agent string includes the Android version number and build information. The information is also sent to apps using WebView and Chrome Tabs APIs, and, although an option is offered to override the default, most applications choose not to do so. 

“Aggravating this issue is that the user agent header is sent always, with both HTTP and HTTPS requests, often by processes running in background. Also, unlike the desktop Chrome, on Android no extensions or overrides are possible to change the header other than the ‘Request Desktop Site’ option on the browser itself for the current session,” security researchers with Nightwatch Cybersecurity explain.

While many browsers have been long identifying the operating system and version on both desktop and mobile devices, the fact that the build tag (which identifies the device name and firmware build) is also disclosed represents the root cause of the issue, the researchers say. 

They also argue that, for many devices, this build tag can be used to identify not only the device, but also the carrier and country. The information could also be used to determine the security patch level on the device.

The disclosed information, the researchers say, can be used to track users and fingerprint devices. Furthermore, attackers could use the information to learn whether specific devices contain certain vulnerabilities and target those with their exploits. 

Advertisement. Scroll to continue reading.

The security issue was initially reported to Google in 2015, but the vendor rejected the bug report. Chrome 70, however, arrived in October 2018 with a partial fix, hiding the firmware information but still revealing the hardware model identifier. 

“Since this fix doesn’t apply to WebView usage, app developers should manually override the User Agent configuration in their apps,” Nightwatch Cybersecurity notes. 

The security researchers believe that all prior versions of Chrome for Android are affected by the vulnerability and advise all users to upgrade to version 70 or later. Google continues to treat the issue as not being security related, and a CVE number hasn’t been issued, the researchers say. 

When contacted about the issue in 2015, the vendor said all is working as intended. Last year, however, a new bug was filed by the vendor, along with a feature request, and Chrome 70 for Android brought the aforementioned partial fix, which only applies to the browser itself. 

Related: Chrome 70 Updates Sign-In Options, Patches 23 Flaws

Related: Chrome 71 Patches 43 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.