Google Chrome flaw patched three years after initial report


Google has patched a security flaw in Chrome for Android that leaked information about smartphones’ hardware model, firmware version, and indirectly the device’s security patch level.

What made this bugfix stand out was the fact that security researchers first reported the issue to Google engineers back in May 2015, only to be ignored three years, until the Chrome staff realized by itself that the information that Chrome for Android was exposing was, indeed, dangerous, as it could have been used for exploit targeting and user fingerprinting


The bug at hand was first documented in a 2015 blog post by security researchers from Nightwatch Cybersecurity. Back then, Nightwatch researchers discovered that Chrome for Android User-Agent strings contained a little bit more information than User-Agent strings on desktop versions.

On top of Chrome browser details and operating system version number information, Chrome for Android User-Agent strings also contained information about the device name and its firmware build.

Example: “ST26i Build/LYZ28K”

Read more…