Google has issued an update to patch a security flaw in Google Chrome for Android that was left unfixed for a total of three years, according to a ZDNet report.
The flaw was identified by bug-hunters at Nightwatch Cybersecurity in 2015, but it wasn’t addressed until Google’s security team realised that the information Chrome was exposing was, in fact, dangerous.
The report states that the security flaw leaks all sorts of details about the device from its mobile browsers. That information includes the user agent string, which includes the Chrome browser details and operating version number information. The user agent string also includes information about the device name and the firmware build.
The flaw was only discovered in Google Chrome for Android and not for the desktop version of Chrome.
“For many devices, this can be used to identify not only the device but also the carrier on which it is running and from that the country,” said Nightwatch Cybersecurity. “Build numbers are easily obtainable from manufacturer and phone carrier websites such as this one.”
For attackers, the build number, along with other information about the device can let attackers know what patch level the user has, which can then be used to exploit flaws.
Google Chrome v70 patch
Google released a fix to Chrome for Android users with v70 in mid-October 2018, but the browser still leaked device names and two Android components (WebView and Custom Tabs).
In a blog post, Yakov Shafranovich, a researcher at Nightwatch, urged users to upgrade to version 70 or later. He also said that app developers should manually override the user agent configuration in their apps.